Cybersecurity researchers have warned about a massive phishing campaign targeting WooCommerce users, prompting them to download “critical patches” with fake security alerts, but instead deploying backdoors.
WordPress Security Company PatchStack described the activity as a refined variant of another campaign observed in December 2023, employing a fake CVE trick to violate sites running popular content management systems (CMS).
Given the similarities between phishing email lures, fake web pages, and the same methods employed to hide malware, the latest attack wave is considered to be either the work of the same threat actor or a new cluster that closely mimics the previous one.
“They claim that targeted websites are affected by the (non-existent) “Unrecognized Administrative Access” vulnerability, urging them to use IDN homograph attacks to access phishing websites that disguise themselves as official Woocommerce websites,” Chazz Wolcott said.
Phishing email recipients are recommended to click on the Download Patch link to download and install the expected security fixes. But in doing so, you will redirect them to a spoofed Ucommerce Marketplace page hosted in the domain you have “woocommėrce(.)com” (note the use of “ė” instead of “e”) (“authbypass-date-31297-id.zip”).
The victim is then asked to install the patch to install the regular WordPress plugin, effectively unlocking the following series of malicious actions –
- After configuring a randomly specified Cron job that runs every minute, create a new admin-level user with an obfuscated username and a randomized password
- Send an HTTP Get Request to an external server (“WooCommerce-Services(.)com/wpapi”) with username and password information, along with URL of the infected website
- Send an HTTP GET request to download the next stage obfuscation payload from the second server (“woocommerce-help(.)com/activate” or “woocommerce-api(.)com/activate”)
- Decode the payload and extract multiple web shells such as PAS fork, P0WNY, WSO, etc.
- Hide malicious plugins from the list of plugins and hide the created admin account
The ultimate result of the campaign is that it allows attackers to remote the website, inject spam or rough ads, redirect site visitors to a rogue site, register compromised servers in a botnet to carry out DDOS attacks, and even encrypt server resources as part of a long extension scheme.
Users are advised to scan suspicious plugins or administrator accounts to ensure that the software is up to date.
