Cybersecurity researchers are warning a couple of large-scale phishing marketing campaign focusing on WooCommerce customers with a pretend safety alert urging them to obtain a “vital patch” however deploy a backdoor as an alternative.
WordPress safety firm Patchstack described the exercise as refined and a variant of one other marketing campaign noticed in December 2023 that employed a pretend CVE ploy to breach websites operating the favored content material administration system (CMS).
Given the similarities within the phishing e-mail lures, the bogus net pages, and the similar strategies employed to hide the malware, it is believed the newest assault wave is both the work of the identical menace actor or it is a new cluster carefully mimicking the sooner one.
“They declare the focused web sites are impacted by a (non-existent) ‘Unauthenticated Administrative Entry’ vulnerability, and so they urge you to go to their phishing web site, which makes use of an IDN homograph assault to disguise itself because the official WooCommerce web site,” safety researcher Chazz Wolcott mentioned.
Recipients of the phishing e-mail are urged to click on on a “Obtain Patch” hyperlink in an effort to obtain and set up the supposed safety repair. Nevertheless, doing so redirects them to a spoofed WooCommerce Market web page hosted on the area “woocommėrce[.]com” (word using “ė” instead of “e”) from the place a ZIP archive (“authbypass-update-31297-id.zip”) will be downloaded.
Victims are then prompted to put in the patch as they might set up any common WordPress plugin, successfully unleashing the next collection of malicious actions –
- Create a brand new administrator-level consumer with an obfuscated username and a randomized password after organising a randomly named cron job that runs each minute
- Ship an HTTP GET request to an exterior server (“woocommerce-services[.]com/wpapi”) with details about the username and password, together with the contaminated web site’s URL
- Ship an HTTP GET request to obtain a next-stage obfuscated payload from a second server (“woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate”)
- Decode the payload to extract a number of net shells like P.A.S.-Fork, p0wny, and WSO
- Disguise the malicious plugin from the record of plugin and conceal the created administrator account
A internet results of the marketing campaign is that it permits the attackers distant management over the web sites, permitting them to inject spam or sketchy adverts, redirect web site guests to fraudulent websites, enlist the breached server right into a botnet for finishing up DDoS assaults, and even encrypt the server assets as a part of an extortion scheme.
Customers are suggested to scan their situations for suspicious plugins or administrator accounts, and be certain that the software program is up-to-date.
