SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Infects Magento-Powered Stores via FishPig Distribution Server

For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server.

Specialized in Magento optimizations and Magento-WordPress integrations, FishPig offers various Magento extensions that have gathered over 200,000 downloads.

For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server.

Specialized in Magento optimizations and Magento-WordPress integrations, FishPig offers various Magento extensions that have gathered over 200,000 downloads.

On Tuesday, FishPig warned of an intrusion to its extension license system, which resulted in a threat actor injecting malicious PHP code into the Helper/License.php file.

“This file is included in most FishPig extensions so it is best to assume that all FishPig modules had been infected,” FishPig announced.

According to the company, the hackers likely had access to its servers since at least August 6.

The injected code would install another piece of malware, called Rekoobe, which hides itself as a background process on the compromised servers, according to security researchers with Sansec, who identified the intrusion.

The malicious code injected into License.php would download a Linux binary from license.fishpig.co.uk each time the Fishpig control panel is accessed in the Magento backend, Sansec explains. Named ‘lic.bin’, the downloaded file poses as a license asset, but it is, in fact, the Rekoobe remote access trojan.

After execution, the trojan removes all malicious files from the infected machine, but it remains running in memory, where it mimics a system service, while waiting for instructions from its command and control (C&C) server, the researchers note.

Advertisement. Scroll to continue reading.

FishPig says it has removed the malicious code from its servers and has issued updates for all modules.

“It is recommended to upgrade all FishPig modules, or reinstall existing versions from source, regardless of whether or not you are using extensions known to be infected. This will ensure clean and secure code on your system,” FishPig announced.

Related: Vulnerability in BackupBuddy Plugin Exploited to Hack WordPress Sites

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Related: Hundreds of Magento Stores Hacked Daily in Major Skimming Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

CIEM Chat: How to Reduce Cloud Identity Risk
March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

Virtual Event: Ransomware Resilience & Recovery Summit
April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

Cybercrime

Comodo Forums Hacked via Recently Disclosed vBulletin Vulnerability

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

October 1, 2019
Ransomware Alerts Ransomware Alerts

Cybercrime

Cyber Insights 2023 | Ransomware

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

February 2, 2023
vector embeddings vector embeddings

Risk Management

Cyber Insights 2023 | Supply Chain Security

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

February 2, 2023
Cisco zero-day CVE-2023-20109 exploited Cisco zero-day CVE-2023-20109 exploited

Malware & Threats

Chinese Gov Hackers Caught Hiding in Cisco Router Firmware

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

September 27, 2023
The Five Stories That Shaped Cybersecurity in 2022

Cybersecurity Funding

The Five Stories That Shaped Cybersecurity in 2022

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

December 29, 2022
OT Cybersecurity Webinar OT Cybersecurity Webinar

ICS/OT

Cyber Insights 2023 | ICS and Operational Technology

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

February 1, 2023
Details of Stuxnet Cyberattack Details of Stuxnet Cyberattack

Cyberwarfare

Dutch Engineer Used Water Pump to Get Billion-Dollar Stuxnet Malware Into Iranian Nuclear Facility: Report

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

January 10, 2024
VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Application Security

VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

December 13, 2022