Over 23,000 websites set up with the help of Joomla, WordPress and Drupal content management systems have been compromised and used for illegal search engine optimization by an attacker who managed to social-engineer site administrators to install a backdoor on their servers.
Dubbed CryptoPHP because of its use of RSA Public Key cryptography for communication with its C&C servers, the backdoor has been included in pirated themes and plug-ins for the aforementioned CMSes, and linked for download on some two dozen specially crafted sites that openly offer pirated software and “nulled” scripts:
It’s interesting to note that for each of these downloads a link to VirusTotal was provided, ostensibly showing a scan that proves the file is clean. Unfortunately, the shown scan results were those of another, non-malicious file.
Once a plugin or theme is installed by a site administrator, the backdoor is also embedded, and adds an extra administrator account that allows the attackers to access to the website even if the backdoor is found and removed.
CryptoPHP is capable of updating itself, contact an extensive infrastructure of C&C domains and communicate in encrypted form, and can be controlled via email or manually should the C&C servers be taken down.
“We’ve identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014,” Fox IT researchers explained in a whitepaper.
Several days later, they noted that the attackers have pushed out a new version of the backdoor, but used the same version number (1.0).
“With the help of the NCSC, Abuse.ch, Shadowserver and Spamhaus we have been able to gather data about the scale of the operation ran by the CryptoPHP authors. Most C&C domains that were active at the time of publishing have been either sinkholed or taken down. From the sinkholed domains we’ve been able to gather statistics,” they shared.
“In total 23.693 unique IP addresses connected to the sinkholes. We are already seeing a decline in sinkhole connections, on the 22nd 20.305 connections were made, on the 23rd 18.994 and on the 24th it was already down to 16.786. These numbers are however not a clear indication, mostly because the servers connecting to our sinkholes were shared hosting with at least 1 or multiple backdoored websites. This means the actual affected websites will be higher.”
The websites that offered the backdoored themes and plug-ins also went offline, but only for a day.
The researchers have provided two Python scripts to help administrators detect CryptoPHP, and have provided instruction on what to do to remove it and steps to take to ensure that the attackers don’t have access to the server anymore.