Security experts are sounding the alarm about a widespread phishing campaign that is targeting users of WooCommerce, a popular e-commerce platform, with a fake security alert. The alert urges users to download a “critical patch” that, in reality, deploys a backdoor.
According to Patchstack, a WordPress security company, this campaign is a sophisticated variant of a previous one observed in December 2023, which used a fake CVE ploy to breach websites running on the popular content management system (CMS). Given the similarities in the phishing email lures, bogus web pages, and methods used to conceal the malware, it is likely that this latest attack wave is the work of the same threat actor or a new cluster mimicking the earlier one.
The phishing email claims that the targeted website is vulnerable to an “Unauthenticated Administrative Access” vulnerability and urges the user to visit a phishing website that uses an IDN homograph attack to disguise itself as the official WooCommerce website, as explained by security researcher Chazz Wolcott. The user is then prompted to click on a “Download Patch” link, which redirects them to a spoofed WooCommerce Marketplace page where a ZIP archive containing the malicious plugin can be downloaded.
Once installed, the malicious plugin creates a new administrator-level user with an obfuscated username and a randomized password, sets up a cron job, and sends an HTTP GET request to an external server with information about the username and password, along with the infected website’s URL. The plugin then downloads a next-stage obfuscated payload, decodes it to extract multiple web shells, and hides the malicious plugin and the created administrator account.
The net result of this campaign is that it allows the attackers to gain remote control over the websites, enabling them to inject spam or malicious ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, or even encrypt the server resources as part of an extortion scheme. The malicious actions include:
- Creating a new administrator-level user with an obfuscated username and a randomized password
- Sending an HTTP GET request to an external server with information about the username and password
- Downloading a next-stage obfuscated payload from a second server
- Decoding the payload to extract multiple web shells
- Hiding the malicious plugin and the created administrator account
Users are advised to scan their instances for suspicious plugins or administrator accounts and ensure that their software is up-to-date to prevent falling victim to this phishing campaign.
