The hack was reported by the British company FishPig, which develops e-commerce solutions (mainly for Magento-WordPress integrations), which have been downloaded more than 200,000 times in total. Unknown persons have injected the Rekoobe backdoor into the company’s products in order to attack customers.
Company experts Sansec detailed the attack in their report. According to them, unknown attackers gained control over the FishPig server infrastructure and added malicious code to the company’s software. The researchers confirm the compromise of products such as FishPig Magento Security Suite and FishPig WordPress Multisite, and warn that other paid extensions are likely to be compromised as well. The free tools hosted by the company on GitHub did not seem to be affected by this attack.
According to experts, hackers injected malicious code into the License.php file, which is responsible for checking the license in FishPig premium plugins. This code downloaded the lic.bin binary from the FishPig servers (license.fishpig.co.uk).
The binary is a malware from the Rekoobe family. Previously, this Remote Access Trojan (RAT) was distributed in conjunction with the Syslogk Linux rootkit. As part of the attack on FishPig, the malware disguises itself as a harmless SMTP server and can be activated using hidden commands related to startTLS processing. Once activated, Rekoobe provides hackers with a reverse shell and allows them to remotely issue commands to the infected server.
Sansec writes that while Rekoobe is idle and waiting for commands from the hackers’ control server located in Latvia, which the researchers found at 46.183.217[.]2. It is assumed that the attackers behind this attack planned to sell access to the compromised stores to other criminals.
As a result, anyone who installed or upgraded FishPig premium products prior to August 19, 2022 should consider their stores compromised and take the following actions immediately:
- disable all FishPig extensions;
- run a malware scanner on the server side;
- restart the server to end any unauthorized background processes;
- add 127.0.0.1 license.fishpig.co.uk to /etc/hosts to block malware outgoing connections.
Representatives of FishPig told reporters of the publication Bleeping Computerthat are currently investigating the incident and studying its consequences.
“The best advice at the moment is to reinstall all FishPig modules. People don’t need to update to the latest version (although they can) as simply reinstalling the same version ensures they have clean code since all infected code has already been removed from FishPig.
The infection was limited to obfuscated code in one file of our separate license.fishpig.co.uk, and it has already been removed, and we have added protection against future attacks. FishPig.co.uk was not affected.
We apologize for any inconvenience users may have experienced. This was an extremely smart targeted attack and we will be more vigilant in the future,” the company said.