Skip to content
May 25, 2023
5 min read time

New Malware Alert

A clever piece of Woo Commerce malware with an embarrassing twist...

Meet Threat Actors

Since its inception, the internet has rapidly become an integral part of how our society communicates and does business. It has not only accelerated the dissemination of information globally but has equipped the business owner with the ability to reach new clients and untapped markets. Unfortunately, this reliance on digital communication and commerce has presented new opportunities for petty thieves and threat actors.  

Couch Hacking

No longer does a thief need to infiltrate a brick-and-mortar business to steal, they can do it from the comfort of their own couch. By compromising a user’s website, an unethical hacker can steal money, spy on users, or set up phishing and adware campaigns. It is essential for the user to properly secure their online assets, lest they become another victim of digital crime.

Hiding in Plain Sight

During our investigation of a novel malware dropper, security researcher Elkins Berrios discovered a peculiar file called woocommerce-admin-tool-zip.php. Initially it appeared to be a WordPress plugin related to WooCommerce.

Upon closer examination, our team quickly identified that this script was indeed malicious, and not a legitimate WordPress plugin. We observed that the PHP script was using a simple obfuscation technique to conceal its underlying functionality. The script author purposefully added extra characters to strings related to GET request parameters. The script utilizes the str_replace function to remove the added characters and deobfuscate the strings.

Original snippet

Deobfuscated snippet
A screen shot of a computer code
Description automatically generated with low confidence

When specifically crafted requests are submitted to the malicious script, a range of functionality is executed.
A picture containing text, screenshot, font

Description automatically generated

In the example above, when a GET request containing add-to-cart0128263 is submitted to the script, the function sets the current user to the first user with the administrator role by loading the WordPress environment via wp-load.php. This allows the attacker complete administrative access to the user’s web app. With this escalated privilege, the attacker can further compromise the user’s site with backdoors, webshells, adware, phishing kits, or perform a number of other malicious activities.

In a similar fashion, when specific GET requests are submitted, a new user with administrative privileges is added. A backdoored user presents a host of issues as an attacker gains the ability to make changes to a user’s site as well as upload malicious content. Fortunately, in this case, the attacker’s attempts may have been foiled by a simple spelling mistake.

(notice the misspelling of administrator)

In this example, when a GET request containing submit-ticked-9317 is passed to the script, file uploading functionality is executed. This could allow the attacker to hide payloads, usually malicious PHP or Javascript, within fake image files. This could lead to arbitrary execution of malicious code on the user’s site.

Finally, the script cleverly ensures the plugin is hidden from the unsuspecting user by way of removing it from the fetched list of Wordpress plugins.  

Hidden Intentions

It is not uncommon for an attacker to attempt to hide their intentions in the form of an illegitimate plugin with fake comments, or behind obfuscation techniques. This particular file is interesting because at first sight, it appears to be a legitimate plugin. The attacker’s attempts to conceal the intent of the script, coupled with malicious functionality, make this file a dangerous and potentially persistent threat.

What we learned…

During our investigation, we learned that the user’s web app fell victim to exploits related to multiple out of date and vulnerable WordPress plugins, a common vector of attack utilized by threat actors to compromise web applications. We observed that during the window of compromise, the user was running an out-of-date instance of the Elementor Pro plugin that is being widely exploited in a massive hacker campaign. Additionally, we discovered several .sql files in the user’s public_html folder. Unfortunately, these database files contained years of customer payment information and transaction data, publicly available on the user’s site. It appears that the threat actor dumped the user’s SQL database in an attempt to harvest customer PCI/PII.

“We (Monarx Security Researchers) cannot stress enough the importance of keeping WordPress plugins up to date and regularly reviewing administrative accounts and credentials.”

A reader interested in manually identifying this specific version of the malware might try searching plugin files for ogetu_usoers. Unfortunately, the malware is polymorphic, and the specifics of the obfuscation will vary.

How Monarx Helps

Monarx searches and destroys malware based on its behavior and not a specific file name or pattern matching.  Those legacy methods are not only resource expensive, but they are also inefficient at finding polymorphic malware.  Monarx doesn’t rely on signatures. Our revolutionary technology identifies malware based on what it does, not what it looks like. Monarx sees through the modern obfuscation techniques that confuse signature-based tools, and easily handles new & unusual variants that they’re blind to. The result is more effective prevention, with extremely few false positives.