WooCommerce admins targeted by fake security patches that hijack sites

BACKGROUND

Once installed and activated, it provides threat actors administrator access to the dashboard and makes use of the REST API to facilitate remote code execution by injecting malicious PHP code into the site theme’s header file or clearing the caches of popular caching plugins.

A new iteration of the malware includes notable changes to the manner code injections are handled, fetching JavaScript code hosted on another compromised domain to serve ads or spam.

The plugin is also complemented by a malicious wp-cron.php file, which recreates and reactivates the malware automatically upon the next site visit should it be removed from the plugins directory.

EXPLOIT

The emails targeting WordPress admins spoof the popular WooCommerce e-commerce plugin, using the address ‘help@security-woocommerce[.]com.’

Recipients are informed that their websites were targeted by hackers attempting to exploit an ‘unauthenticated administrative access’ vulnerability.

To protect their online stores and data, recipients are advised to download a patch using the embedded button, with step-by-step instructions on how to install it included in the message.

Clicking on the ‘Download Patch’ button takes victims to a website that spoofs WooCommerce, using a very deceptive ‘woocommėrce[.]com’ domain that is only one character different from the official, woocommerce.com.

After the victim installs the fake security fix (“authbypass-update-31297-id.zip”), it creates a randomly named cronjob that runs every minute, attempting to create a new admin-level user.

Next, the plugin registers the infected site via an HTTP GET request to ‘woocommerce-services[.]com/wpapi,’ and fetches a second-stage obfuscated payload.

This, in turn, installs multiple PHP-based web shells under ‘wp-content/uploads/,’ including P.A.S.-Form, p0wny, and WSO.

RECOMMENDATION

MWCERT advises website owners to scrutinize admin accounts for 8-character random names, unusual cronjobs, a folder named ‘authbypass-update,’ and outgoing requests to woocommerce-services[.]com, woocommerce-api[.]com, or woocommerce-help[.]com.

Scroll to Top
Skip to content