For the past few weeks, a supply chain attack against the FishPig distribution server has been used to inject malware into Magento stores. FishPig, a Magento extension provider with over 200,000 downloads, specializes in Magento optimizations and Magento-WordPress interfaces.
FishPig issued a warning on an intrusion into its extension license system on Tuesday, resulting in a threat actor introducing malicious PHP code into the Helper/License.php file. The company claims that the hackers probably gained access to its systems as early as August 6. Security experts at Sansec discovered the breach and found that the injected code will set up Rekoobe, another malicious program that conceals itself as a background task on the affected systems due to the intrusion.
“An intrusion to the FishPig.co.uk extension license system was detected, causing a small piece of malicious PHP code to be injected pre-obfuscation into the Helper/License.php file. This file is included in most FishPig extensions so it is best to assume that all paid FishPig Magento 2 modules have been infected.,” FishPig said.
According to Sansec, every time the Fishpig control panel is viewed in the Magento backend, the malicious code added into License.php would download a Linux binary from license.fishpig.co.uk. The downloaded file, with the filename “lic.bin,” pretends to be a licensing asset but is actually the Rekoobe remote access trojan.
The researchers observed that after being executed, the trojan deletes all harmful files from the infected machine but continues to operate in memory, imitating a system service, as it waits for commands from its command and control (C&C) server. FishPig claims to have updated all of its modules and removed the malicious malware from its servers.
FishPig advised upgrading all FishPig modules or reinstalling current versions from the source, whether or not you use extensions known to be contaminated. According to the company, this will guarantee that your system has a clean and secure code.