Online Magento stores are currently facing a significant threat from malware attacks through backdoored extensions. Security researchers have identified several infected extensions on various e-commerce websites, which were compromised as a result of a supply-chain attack.
Malicious Magento Extensions Target E-Stores
Sansec, a cybersecurity firm, recently uncovered a malicious campaign that is targeting online stores using infected extensions. They have identified multiple backdoored Magento extensions that are spreading malware across different e-commerce platforms as part of this campaign.
The researchers have identified 21 different apps with the same backdoor, indicating a common source for the threat.
Interestingly, the infected extensions were not recently compromised. Sansec found evidence that suggests these extensions were backdoored approximately six years ago. However, the malware remained inactive until recently when it was activated after undergoing significant development. This behavior points towards a supply-chain attack that has impacted certain vendors, leading to the compromise of their customers’ online stores.
Sansec has disclosed a list of affected extensions from three vendors: Tigren, Meetanshi, and MGS. These backdoored extensions were introduced between 2019 and 2022. According to the researchers, the attackers gained access to the vendors’ servers to inject the malware into the extensions. The malware lay dormant for years before becoming active and targeting hundreds of online stores, including a major multinational company valued at $40 billion (unidentified by Sansec).
Upon discovering the infected extensions, the researchers notified the vendors, but the responses were inadequate. MGS and Tigren failed to remove the compromised extensions even after being informed. While MGS did not respond, Tigren denied any hacking incident. In contrast, Meetanshi acknowledged a server breach but denied any tampering with their software.
In addition to the mentioned vendors, the researchers also found a backdoored version of the Weltpixel GoogleTagManager extension. However, they were unable to determine whether the malware infection occurred at the vendor’s end or on the affected stores.
Recommended Actions for Remediation
Sansec has provided detailed information about the backdoor infection in their research post. The malware is typically hidden in files named License.php or LicenseApi.php, which contain a fake license check. Executing these files triggers the malware.
The malicious code is embedded in the adminLoadLicense function, which executes
$licenseFileas PHP code. The attacker can control the$licenseFileusing the adminUploadLicense function.
Therefore, store administrators are advised to remove the fake license file to eliminate the backdoor from their online stores. Additionally, users should exercise caution when interacting with software from the affected vendors.
Feel free to share your thoughts in the comments section below.
