FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.
Although it is unknown attackers initially gained access to FishPig’s server infrastructure, it is known that malicious code was added to the License.php file hosted on license.fishpig.co[.]uk, which is used initially to verify the customer’s product license.
When a logged-in user visits the control panel, the malicious code downloads and executes a Linux library (lic.bin) from FishPig’s servers. This launches the Rekoobe Linux trojan.
The Rekoobe deletes its files after infecting a host and runs stealthily in memory as a process. After which backdoor is created, enabling attackers to control the box remotely and access customer data.
FishPig stated that all paid modules of FishPig Magento 2 were likely affected. The free Magento modules of FishPig on GitHub have over 200,000 downloads, which are said to be clear of malicious code.