The Patchstack team has been monitoring a large-scale phishing campaign using a sophisticated email and web-based phishing template to warn users of a supposed security vulnerability in their WooCommerce installation. This attack bears a very striking similarity to a phishing campaign we reported on previously, this time targeting WooCommerce users specifically, instead of WordPress users in general. Given the similarities: similar email and phishing page formatting, a similar "security vulnerability" theme in the messaging, the nearly identical methods used to hide the malware, and the rather uncommon choice in web shell payloads; we believe it is likely that this campaign is either from the same attackers as the "Fake CVE" phishing attack, or at least very heavily inspired by them.
They claim the targeted websites are impacted by a (nonexistent) "Unauthenticated Administrative Access" vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooCommerce website.
This is an illegitimate email, sent from another phishing address: `help@security-woocommerce[.]com, and the plugin they provide through their website will, if installed, infect your website with a backdoor and malicious administrator account.
This means that this campaign has no impact on you as long as you do not download and install their malicious plugin. Neither WordPress nor WooCommerce would ever ask you to manually download and install a patch or plugin; they would directly release a new version update instead.
Overview of the phishing page
Once you click on the Download Patch button in the email, you are directed to a fake WooCommerce Marketplace page, as seen in the screenshot below. This page is served through, at least, the malicious domain name woocommėrce[.]com (Note the ė in this domain, making it very similar to the official WooCommerce domain).
Technical analysis of the malicious patch
After downloading the patch, you will be served with a zip file, named authbypass-update-31297-id.zip, and instructed to install it as you would a normal plugin.
After activating the the malicious plugin, it performs its actions silently, and takes advantage of a number of legitimate WordPress hooks to mask its activity.
After installation, this attack functions very similarly to the previously mentioned "Fake CVE" phishing campaign. This is what actually happens after installing the malicious "patch":
- The plugin adds a cronjob with a randomized name to WP Cron, attempting every minute to:
- Create a new administrator-level user with an obfuscated username and a randomized password.
- An HTTP GET request is sent to an attacker-controlled server, in this case woocommerce-services[.]com/wpapi sending base64-encoded parameters containing the generated username and password, as well as the impacted site URL.
- After the attacker sends a specially formulated GET request to the impacted website, the plugin will send an HTTP GET request to download an additional obfuscated payload from an attacker-controlled server, in our testing: woocommerce-help[.]com/activate and woocommerce-api[.]com/activate
- This payload is decoded and multiple PHP files are installed into
wp-content/uploads/wp-cached-<generated string>on the impacted website. Each file is a different web shell; in our testing: P.A.S.-Fork, p0wny, and WSO. - The plugin will then hide itself from the plugin list, as well as hide the administrator account it created.
As these web shells allow for essentially full control of the impacted server or web hosting account, these could be later exploited for many different attacks, likely:
- Injecting advertisements into the site
- Redirecting users to a malicious site
- Abusing the server's resources for a DDoS attack
- Stealing billing information
- Blackmail or ransomware, e.g., by encrypting the website, or by making a copy of the database and holding it hostage until paid
Indicators of compromise:
- A user with a seemingly random, 8 character username
- A cronjob set up with an unusual name, in our sample: mergeCreator655
- A folder called
authbypass-updatein thewp-content/plugins/folder. - A folder called
wp-cached-<8 character code>in thewp-content/uploadsfolder - Outgoing requests to woocommerce-services[.]com, woocommerce-api[.]com, or woocommerce-help[.]com
As this phishing campaign is discovered and the community is made aware, it is likely for some or all of these indicators to change. New versions of this campaign are likely to appear as domains get flagged by hosts, registrars and security services.
Patchstack will monitor the logs of our customers and has also attached a new rule to the "Advanced Hardening" module that will attempt to block any installation attempts by our customers to install this malicious patch.
If you have any questions about this phishing campaign or need any help, contact the Patchstack team.
