PHP/Payoow.CO!tr
Analysis
PHP/Payoow.CO!tris a generic detection for a trojan.
Since this is a generic detection, malware that are detected as PHP/Payoow.CO!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the WooCommerce Payments outbreak and involves the CVE-2023-28121 vulnerability. The vulnerability is found in the WooCommerce plugins for WordPress versions 5.6.1 and earlier.
- PHP/Payoow.CO!tr allows a remote, unauthenticated attacker to send requests on behalf of privileged users like administrators and to have administrative access to a web page.
- Below are images of the malicious payload:
- Figure 1: Obfuscated malicious payload.
- Figure 2: Deobfuscated payload file.
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2023-28121 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28121
- MD5: fb1fd5d5ac7128bf23378ef3e238baba
Sha256: e5797f9c2dcaee289db4400bf25091ba65b5b79d2c3b1be4855b50b1448c6594
Outbreak Alert
An authentication bypass vulnerability affecting the WooCommerce Payments plugin version 4.8.0 through 5.6.1. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites potentially leading to the site takeover, impersonate arbitrary users, including an administrator.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-07-26 | 91.05460 |