Full Report
A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a "critical patch" that adds a Wordpress backdoor to the site. [...]
Analysis Summary
# Incident Report: Fake WooCommerce Security Patch Leading to Site Hijack
## Executive Summary
WooCommerce administrators were targeted by a sophisticated, two-stage phishing campaign disguised as urgent security patch notifications. Attackers used homograph attacks in emails to lure victims into downloading a malicious file disguised as a security update. Upon installation, the implant established persistence via a malicious cronjob, created a hidden administrator account, and deployed multiple PHP web shells, granting threat actors full control over the compromised e-commerce sites for potential data theft, redirection, or ransomware deployment.
## Incident Details
- **Discovery Date:** April 21, 2025 (Implied, based on the second security scan mentioned)
- **Incident Date:** Initial phishing attempts noted around April 14, 2025.
- **Affected Organization:** WooCommerce website administrators/owners (e-commerce sector).
- **Sector:** E-commerce/Software Users
- **Geography:** Not specified, global target for WooCommerce users.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting around April 14, 2025.
- **Vector:** Phishing emails claiming a critical, recently discovered vulnerability in the WooCommerce platform.
- **Details:** Emails created urgency, referencing a security scan confirming the vulnerability impacts the recipient's site. Clicking the 'Download Patch' button led to a deceptive website using a homograph attack domain: `woocommėrce[.]com` (using the Lithuanian character 'ė' instead of 'e').
### Lateral Movement
- **Date/Time:** Post-installation of the initial package.
- **Details:** After installation of the fake patch (`authbypass-update-31297-id.zip`), a randomly named cronjob was created to run every minute, attempting to forge a new admin-level user. The payload then registered the site via HTTP GET to `woocommerce-services[.]com/wpapi` to fetch a second-stage obfuscated payload.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing post-compromise.
- **Details:** The second-stage payload installed multiple PHP web shells (including P.A.S.-Form, p0wny, and WSO) in the `wp-content/uploads/` directory, granting the attackers full control. This control could enable ad injection, user redirection, DDoS botnet enlistment, stealing payment card information, or deploying ransomware.
### Detection & Response
- **Date/Time:** Detected by security researchers (Patchstack).
- **Details:** The initial fake plugin automatically removed itself from the visible plugin list, and the malicious administrator account was hidden to evade detection. The response analysis involved identifying unusual admin accounts, anomalous cronjobs, and network connections to specific domains.
## Attack Methodology
- **Initial Access:** Phishing via emails promoting fake security patches, delivered via a homograph domain spoofing WooCommerce.
- **Persistence:** Creation of a randomly named cronjob running every minute designed to create new administrative users.
- **Privilege Escalation:** Successfully achieving administrator-level access via the installation of the fake update and the subsequent creation of a new hidden admin user.
- **Defense Evasion:** The loaded plugin removed itself from the visible list, and the newly created malicious administrator account was hidden.
- **Credential Access:** Not explicitly detailed, but full site control achieved implies access to configuration and potentially user/payment data.
- **Discovery:** Unknown, but the attack implies the threat actors had prior knowledge of WooCommerce administration routines.
- **Lateral Movement:** Fetching a second-stage payload via an external API endpoint after initial installation.
- **Collection:** Web shells allow for stealing payment card information or collecting other sensitive data.
- **Exfiltration:** Not explicitly detailed, but implied via web shell capabilities (e.g., data theft).
- **Impact:** Full site compromise, potential for financial fraud, data theft, and service disruption.
## Impact Assessment
- **Financial:** Potential costs associated with data remediation, customer compensation, and reputation repair. Risk of payment card information theft.
- **Data Breach:** Potential exposure of customer data and payment card information if the web shells were utilized for collection.
- **Operational:** Severe disruption due to full site takeover; risk included redirection, ad fraud, or ransomware encryption.
- **Reputational:** High risk due to the official nature of the spoofed communication (security update) and the compromise of an e-commerce store.
## Indicators of Compromise
- **Network indicators:** Outgoing HTTP GET requests to `woocommerce-services[.]com/wpapi`, as well as connections to `woocommerce-api[.]com` or `woocommerce-help[.]com`.
- **File indicators:** Presence of the malicious archive `authbypass-update-31297-id.zip`, and PHP web shells installed in the `wp-content/uploads/` directory (e.g., P.A.S.-Form, p0wny, WSO). A folder named 'authbypass-update' may also be present.
- **Behavioral indicators:** Unusual cronjobs configured to run every minute; the sudden appearance of hidden, 8-character randomly named administrator accounts.
## Response Actions
- **Containment:** Immediate removal of the malicious plugin and deletion of the hidden administrator account.
- **Eradication:** Deleting all deployed PHP web shells from `wp-content/uploads/`. Removing the anomalous cronjob.
- **Recovery:** Auditing and potentially resetting all administrative passwords and credentials. Restoring from backups if data encryption (ransomware) occurred.
## Lessons Learned
- Email vigilance must extend beyond simple URL matching to include scrutiny of characters used (Homograph attacks).
- Users must never install software or "patches" originating from unsolicited security alerts, regardless of how urgent they seem. Patches should always be downloaded directly from official software vendor repositories.
- Critical platform reliance on unsolicited third-party notifications for patching creates a significant attack surface.
## Recommendations
- Implement strict Web Application Firewalls (WAFs) configured to monitor for known web shell signatures and suspicious outbound connections from WordPress directories.
- Regularly audit WordPress core, plugins, and theme files for unauthorized file modifications, especially in the `wp-content/uploads/` directory.
- Administrators should regularly audit user accounts, specifically checking for any newly introduced accounts with random names or elevated privileges that cannot be accounted for.
- Train staff to verify the legitimacy of security alerts by cross-referencing communication channels (e.g., checking the official vendor website or support portal directly, rather than clicking links in the email).