Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a “critical patch” but deploy a backdoor instead.
WordPress security company Patchstack described the activity as sophisticated and a variant of another campaign observed in December 2023 that employed a fake CVE ploy to breach sites running the popular content management system (CMS).
Given the similarities in the phishing email lures, the bogus web pages, and the identical methods employed to conceal the malware, it’s believed the latest attack wave is either the work of the same threat actor or it’s a new cluster closely mimicking the earlier one.
“They claim the targeted websites are impacted by a (non-existent) ‘Unauthenticated Administrative Access’ vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website,” security researcher Chazz Wolcott said.
Recipients of the phishing email are urged to click on a “Download Patch” link in order to download and install the supposed security fix. However, doing so redirects them to a spoofed WooCommerce Marketplace page hosted on the domain “woocommėrce[.]com” (note the use of “ė” in place of “e”) from where a ZIP archive (“authbypass-update-31297-id.zip”) can be downloaded.
Victims are then prompted to install the patch as they would install any regular WordPress plugin, effectively unleashing the following series of malicious actions –
- Create a new administrator-level user with an obfuscated username and a randomized password after setting up a randomly named cron job that runs every minute
- Send an HTTP GET request to an external server (“woocommerce-services[.]com/wpapi”) with information about the username and password, along with the infected website’s URL
- Send an HTTP GET request to download a next-stage obfuscated payload from a second server (“woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate”)
- Decode the payload to extract multiple web shells like P.A.S.-Fork, p0wny, and WSO
- Hide the malicious plugin from the list of plugin and conceal the created administrator account
A net result of the campaign is that it allows the attackers remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme.
Users are advised to scan their instances for suspicious plugins or administrator accounts, and ensure that the software is up-to-date.
