Magento stores have fallen prey to a new wave of malware attack via backdoored extensions. Researchers have spotted numerous backdoored extensions running on various online stores that were infected following a supply-chain attack.
Backdoored Magento Extensions Infect E-Stores
Researchers from Sansec security firm have discovered a malicious campaign targeting online stores via infected site extensions. They observed multiple backdoored Magento extensions propagating the malware to different e-stores in this campaign.
Specifically, the researchers noticed 21 different apps with the same backdoor, hinting at the similar origin of the threat.
Notably, the extensions didn’t get the malware infection lately. Instead, Sansec observed that the extensions were likely backdoored roughly 6 years ago. However, the malware remained dormant throughout the years, only to become active now after undergoing extensive development. This behavior indicates a supply-chain attack affecting certain vendors and infecting their extensions to compromise their respective customer stores.
Sansec researchers have shared the complete list of affected extensions that belong to three vendors: Tigren, Meetanshi, and MGS. These backdoored extensions appeared online between 2019 and 2022. According to the researchers, the attackers breached the respective vendors’ servers to infect the extensions with the malware. However, the malware remained dormant, activating only recently to target hundreds of online stores, including a $40 billion multinational that Sansec didn’t name.
Following this discovery, the researchers reached out to the respective vendors. However, they couldn’t receive satisfactory remedial responses from the vendors. Specifically, MGS and Tigren didn’t remove the infected extensions until the time of their report. While MGS simply did not respond, Tigren denied any hacking attack. In contrast, Meetanshi, while denying any software tampering, admitted to having suffered a server breach.
In addition to the mentioned vendors, the researchers also spotted a backdoored version of the Weltpixel GoogleTagManager extension. However, they couldn’t specifically determine if the malware infection happened at the vendor’s end or the stores.
Recommended Remediation
Sansec researchers have shared details about the backdoor infection in their post. Briefly, the malware resides in files named License.php or LicenseApi.php that includes the fake license check. Executing this malicious file executes the malware.
The evil is in the adminLoadLicense function, which executes
$licenseFileas PHP… The$licenseFilecan be controlled by the attacker using theadminUploadLicensefunction.
Hence, for store admins, the researchers advise removing the fake license file to remove the backdoor from their e-stores. Besides, users must remain careful when interacting with any software from the mentioned vendors.
Let us know your thoughts in the comments.
