On 11th May 2018 the VEL were alerted to an apparently malicious extension. A user had found that the extension Nexevo Contact Form had PHP code hidden inside a PNG file, and had reported it to the JED.
We investigated and found this to be correct. The file was modules/mod_nexevocontact/helpers/loading.png. Upon further review of the code, we found additional malicious code in the other module helper files, dateSelect.php and imageCache.php. Together, what this code was designed to do, was to install a malicious system plugin called System - Section. The code for the plugin was hidden in the PNG file.
System - Section is disguised as a legitimate plugin for JComments. In reality it has nothing to do with JComments, and the only thing that it actually does is to take content from a 3rd party site and insert it into page output. It is probably intended mainly for inserting spam links, but the way that it works is highly insecure, and there is the possibility of also executing PHP code drawn from the 3rd party site, so that it is a true back door and a high level security risk. System - Section is malware, it has no legitimate purpose, and if you ever find it installed on your site you should remove it immediately and treat your site as having been hacked. You can find advice on how to deal with this in the Joomla! security forums at forum.joomla.org .
In this case we think that the malicious code in mod_nexevocontact does not actually execute, so that System - Section is not actually installed, possibly due to a lack of technical competence by the module's creator. However this is not guaranteed. Anyone who has installed the Nexevo Contact Form on their site at any time should check for the existence of the System - Section plugin. There are reports of this plugin being found installed on live sites, though possibly this has happened through direct hacks rather than through an infected extension: there is nothing to directly attribute this to the Nexevo Contact Form module.
In this case the developers have told us that they did not write the malicious code, it was created (or more likely copied) by a freelancer who has now disappeared. This is probably plausible, there are quite a few developers who are not really developers, who just employ freelancers to write their code (they make up quite a lot of the work of the VEL). In our view this does not absolve them from responsibility, they distributed the code. We have removed the extension from the live VEL as the malicious code has been removed, but we will continue to monitor this extension.