A sophisticated phishing campaign is targeting WooCommerce users with a fake security alert that urges them to download a non-existent 'critical patch', which actually deploys a backdoor.

This campaign bears similarities to a previous phishing attack from December 2023 that exploited a fake CVE to breach WordPress sites.

Utilizing an IDN homograph attack, the phishing site features a domain name closely resembling the legitimate WooCommerce domain, specifically woocommėrce.com.

Upon installation, the malicious plugin operates like a regular plugin but secretly adds a hidden WP Cron job that creates a new administrator account and sends the credentials to an attacker-controlled server.

This malware hides itself from the list of installed plugins, concealing the rogue admin account while transmitting the credentials to the attackers.

Once installed, the malware creates a new administrator account with obfuscated credentials and sets up a cron job to execute every minute.

The attackers can then download additional malicious payloads and install various web shells, granting them full control over the compromised server.

These web shells enable a range of malicious activities, including ad injection, visitor redirection, data theft, DDoS attacks, and ransomware operations.

The malware also sends HTTP GET requests to external servers, leaking sensitive information about the new admin account and the infected website's URL.

WooCommerce users are advised to scan their sites for suspicious plugins and unauthorized admin accounts, and to keep their WordPress installations and related plugins updated.

As the campaign is exposed, its indicators may change, and new versions are expected to emerge as security services flag compromised domains.

Indicators of compromise for this campaign include unusual user account names, suspicious cron jobs, and specific folders within the WordPress file system.