Dormant software backdoor wakes up, puts hundreds of ecommerce stores at risk

A $40 billion multinational company is one of hundreds of ecommerce stores running long-dormant backdoored software that is now abruptly being exploited in the wild, according to research by Sansec.

The ecommerce security experts alleged that while the backdoors had only recently been activated, the code was slipped into place between 2019 and 2022 in 21 software packages, after upstream server breaches at three popular ecommerce plugin providers: Tigren, Meetanshi, and Magesolution.

A backdoored version of server side analytics firm WeltPixel’s GoogleTagManager extension was also identified in the report, but Sansec said it could not establish whether the company's servers had been compromised.

Sansec's researchers claimed the "supply chain hack" had been used to gain "full control" of ecommerce servers and said: “By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.”

See also: Prescient or toxic? The Shopify CEO’s AI edict is a sign of the times

Sansec did not name any affected webstores but alleged between 500 and 1,000 stores were running the backdoored software, including the unidentified $40 billion multinational.

Potentially affected stores should look for and remove License.php or LicenseApi.php files, which contain a fake license check that can allow an attacker access.

Affected packages include Tigren’s Ajax Suite and MultiCOD, Meetanshi’s Cookie Notice and Facebook Chat, and Magesolution’s GDPR, Popup and Blog extensions. All identified are third-party extensions for the open-source Magento platform, acquired by Adobe in 2018 and used for around 106,000 stores.

Tigren informed The Stack it had not uncovered the malware in previous server checks but "after a careful review and with help from Sansec", it identified the backdoor script in an old version of its Ajaxcart package and removed it from its site.

It added it would continue to monitor the situation and "in the meantime, if merchants use these extensions and have the issue, we will provide a free service to remove malware and update Magento security patches."

Meanwhile, Meetanshi confirmed to The Stack that its server had been hacked in 2019, allowing malware code to be injected into some products, but said it had released updated versions of the affected packages within 6-12 months.

It added that after Sansec's report, Meetanshi conducted further analysis and found "the majority of customers who had purchased the affected products have already updated" to new versions but it was "actively reaching out" to the small number yet to update to ensure their systems are secured.

The Stack has also approached Magesolution and WeltPixel for comment.

The execution path

According to Sansec, hackers only appeared to begin exploiting the backdoor in April of this year, despite the affected packages all being published between 2019 and 2022.

As Andrew Henwood, founder of cyber risk mitigation company Blck Rhino, put it: "This is either some super long-term strategic play from a threat actor or the backdoored software and latent malware was forgotten and recently rediscovered."

The execution path sees attackers use the License.php and LicenseAPI.php files, where an adminLoadLicense function is able to execute $licenseFile as PHP to then be controlled by an attacker using the adminUploadLicense function.

The fake license check is then “explicitly activated via registration.php”.

While most versions of the backdoor require a security key matching the hardcoded checksum and salt, the 2019 packages identified can be exploited without authentication, making them particularly vulnerable.

Aside from some unique line of code for authorisation checksums, backdoor paths, and license filenames, researchers found the backdoor code was the same across all affected packages.