Hackers have compromised the infrastructure of FishPig, a company which provides Magento-WordPress integration software with more than 200,000 downloads, and infected multiple extensions, according to Sansec researchers.
The threat actors commandeered FishPig's distribution server on or before August 19 and added malicious code designed to install the Rekoobe remote access trojan to the vendor's software to gain access to websites using the products in what appears to be a supply-chain attack.
Sansec says they discovered malware in the Fishpig Magento Security Suite and several other Fishpig extensions for Magento 2 and it is possible that all paid FishPig extensions have been compromised. It appears that the attack had not impacted free extensions hosted on GitHub.
“Any Magento store who installed or updated paid Fishpig software since then, is now likely running the Rekoobe malware,” the researchers said.
Once launched Rekoobe removes all malware files and remains in memory. It hides as a system process and mimics system services while waiting for instructions from its command and control server (C2) located in Latvia.
Sansec researchers said they hadn’t detected follow-up abuse via the C2 server yet. They believe that access to the affected stores may be sold in bulk on hacking forums.
FishPig has acknowledged the incident in a security announcement and said that the malicious code has since been removed.
“An instrusion to the FishPig.co.uk extension license system was detected, causing a small piece of malicious PHP code to be injected pre-obfuscation into the Helper/License.php file. This file is included in most FishPig extensions so it is best to assume that all paid FishPig Magento 2 modules have been infected,” the company said.