An instrusion to the FishPig.co.uk extension license system was detected, causing a small piece of malicious PHP code to be injected pre-obfuscation into the Helper/License.php file. This file is included in most FishPig extensions so it is best to assume that all paid FishPig Magento 2 modules have been infected.
FishPig, a UK-based maker of software that integrates Adobe’s Magento ecommerce suite into WordPress-powered websites. FishPig’s distribution systems were compromised and its products altered so that installations of the code semi-automatically downloaded and ran the Rekoobe Linux trojan.
Infosec outfit Sansec raised the alarm this week that FishPig’s software was acting weird: when a deployment’s control panel was visited by a logged-in Magento staff user, the code would automatically fetch and run from FishPig’s back-end systems a Linux binary that turned out to be Rekoobe. This would open a backdoor allowing miscreants to remotely control the box.
After that, the crooks could snoop on customers, alter or steal data, and so on.
As per FishPig’s disclosure, its products were altered as early as August 6, and the offending code has since been removed. We’re told that the paid-for versions were primarily affected. Free versions of FishPig modules available on GitHub were likely clean.
If you’re using FishPig’s commercial software, you should reinstall the tools and check for signs of compromise.
It’s not known exactly how the attackers broke into FishPig’s back-end servers, the outcome is clear: code was added to the License.php file on FishPig’s systems that its products fetch and execute when in use. This PHP file had been altered so that it would download and execute a malicious binary also hosted on FishPig’s platform. Ergo, a staff user accesses their FishPig deployment’s control panel, the altered remotely-hosted License.php is fetched and run, and this automatically runs Rekoobe on the user’s web server.
License.php normally checks to make sure the deployment is appropriately paid for and licensed, hence why it’s routinely referenced.
Once Rekoobe infects a host, it removes its files and remains hidden in memory as a process, where it waits for commands from a single IP address geo-located in Latvia. Sansec said it expects the mastermind of this caper to sell access to servers compromised via this supply-chain attack.
Rekoobe has been floating around the internet in various forms since its discovery in 2015. The variant of Rekoobe used in this attack appears to have been written no earlier than 2018, according to Intezer’s analysis.
Is my site affected?
The easiest way to determine if the FishPig extensions on your site have been infected is to run the following command from the Magento root directory:
php <(curl -Ls https://fishpig.co.uk/rekoobe-sh)