PHP/Payoow.CO!tr

Analysis

PHP/Payoow.CO!tris a generic detection for a trojan.
Since this is a generic detection, malware that are detected as PHP/Payoow.CO!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is associated with the WooCommerce Payments outbreak and involves the CVE-2023-28121 vulnerability. The vulnerability is found in the WooCommerce plugins for WordPress versions 5.6.1 and earlier.


• PHP/Payoow.CO!tr allows a remote, unauthenticated attacker to send requests on behalf of privileged users like administrators and to have administrative access to a web page.


• Below are images of the malicious payload:
  

  Figure 1: Obfuscated malicious payload.

  
  

  Figure 2: Deobfuscated payload file.

  
  
• This malware has been associated with the following third party article/advisory.

https://nvd.nist.gov/vuln/detail/CVE-2023-28121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28121



• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • MD5: fb1fd5d5ac7128bf23378ef3e238baba
    Sha256: e5797f9c2dcaee289db4400bf25091ba65b5b79d2c3b1be4855b50b1448c6594

Outbreak Alert

An authentication bypass vulnerability affecting the WooCommerce Payments plugin version 4.8.0 through 5.6.1. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites potentially leading to the site takeover, impersonate arbitrary users, including an administrator.

View the full Outbreak Alert Report

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.