Hackers breach FishPig servers to add backdoors

All paid extensions have been compromised, but the free version appears to be safe

Cybercriminals have managed to implant malware in servers belonging to an unknown number of online retailers after breaking into the server infrastructure of FishPig, a maker of Magento-WordPress integration software with more than 200,000 downloads.

Sansec, the security company that first identified the breach, discovered that attackers had injected malware in the FishPig Magento Security Suite and several other FishPig extensions for Magento 2, to gain access to websites using the products.

The injected malware later installed a Remote Access Trojan (RAT) - dubbed 'Rekoobe' - which hides on the server as background process.

Rekoobe, which was discovered in June, poses as a safe SMTP server. When launching from memory it loads its settings, deletes all malicious files, and takes the name of a system service to evade detection.

The Linux rootkit 'Syslogk' has been observed dropping this Trojan in the past. Rekoobe can be triggered by covert commands relating to handling the startTLS command sent by an online attacker.

When Rekoobe is activated, it provides a reverse shell that enables the attacker to remotely instruct the compromised server.

Sansec says the FishPig intrusion started on or before the 19th August. It added that online stores using FishPig software may now have Rekoobe installed on their servers, giving admin access to the hackers.

'It is likely that all paid Fishpig extensions have been compromised. Free extensions that are hosted on Github seem not to be affected,' Sansec said.

FishPig is a UK-based developer of Magento-WordPress integrations. As many as 200,000 websites utilise its eCommerce platform.

Magento is a popular open-source eCommerce platform used to create online marketplaces.

FishPig said on Tuesday that the hackers used their access to insert malicious PHP code into a Helper/License.php file.

'This file is included in most FishPig extensions so it is best to assume that all paid FishPig Magento 2 modules have been infected,' the company said.

It has since removed the malicious code and taken measures to avoid anything similar from happening again.

FishPig is advising all customers to update all FishPig modules or to reinstall current versions from source, regardless of whether the customers are using extensions known to be affected.

Additionally, the firm has made a tool available for users to test for infection in their FishPig files.

Anyone who is concerned that the malware may be infecting their site and is in need of assistance to fix it may take advantage of FishPig's current offer of a free clean up service.