FishPig Magento extensions delivered ReKoobe

FishPig sold Magento extensions that integrated Adobe Commerce and Magento stores with WordPress. That made its paid module distribution path a natural bridge into ecommerce servers: administrators installed the extension to run their storefront, then trusted the module's license checks and backend control panel code as part of normal operations.

The attackers changed License.php, a file normally involved in FishPig license validation. When a logged-in Magento staff user opened the FishPig control panel, the altered code fetched lic.png from license.fishpig.co.uk, saved it as lic.bin, made it executable, ran it with the store's admin domain, and removed the temporary file. The innocent-looking license asset was the ReKoobe Linux backdoor.

ReKoobe used /tmp/.varnish7684 as a guard file, deleted its files after launch, stayed resident in memory, and disguised itself as common system processes such as cron, udevd, auditd, rsyslogd, or dbus-daemon. Sansec reported the malware waited for commands from 46.183.217.223 in Latvia, giving attackers remote control over affected ecommerce servers.

The date boundary is imprecise but important. Sansec said the FishPig distribution server was compromised on or before August 19, 2022, while The Register cited FishPig's disclosure that products were altered as early as August 6. FishPig recommended customers reinstall all paid modules, scan servers, and restart hosts to kill hidden in-memory processes.

Motive

Remote Access

Cause

Vendor Server Compromise

Transitive

No

• Magento vendor Fishpig hacked, backdoors addedsansec.io
• WordPress-powered sites backdoored after FishPig suffers supply chain attacktheregister.com