Incident Response, Malware, TDR

Pirated Joomla, WordPress, Drupal themes and plugins contain CryptoPHP backdoor

Illegal search engine optimization (SEO) is the goal of attackers who are freely distributing pirated Joomla, WordPress and Drupal themes and plugins that are packaged with a backdoor being referred to as CryptoPHP.

Last week Fox-It released a whitepaper on CryptoPHP, and in a Wednesday post the security company revealed that most of the command-and-control domains had been sinkholed or taken down.

Researchers observed 23,693 unique IP addresses connecting to the sinkholes, but by Monday that number had dipped to 16,786, according to the post.

“These numbers are however not a clear indication, mostly because the servers connecting to our sinkholes were shared hosting with at least [one] or multiple backdoored websites,” according to the post. “This means the actual affected websites will be higher.”

Looking at the 23,693 connections to the sinkhole, CryptoPHP had the greatest impact in the U.S., where researchers observed 8,657 infections. 2,877 infections were observed in Germany, 1,231 infections were observed in France, 1,008 infections were observed in the Netherlands, and 749 infections were observed in Turkey. 9,171 infections were observed in all other countries combined.

Although the number of connections to the sinkholes is declining, Yonathan Klijnsma, a security analyst with Fox-IT, told in a Wednesday email correspondence that the threat is not over since the attackers are still distributing the compromised plugins and themes via their websites. He added that the attackers – who did not name the backdoor CryptoPHP – are now probably aware that researchers have caught on and may change their strategy.

“I think by now they noticed due to domains going offline and servers being taken down (server takedown is in process, taking down physical machines is a lengthier process),” Klijnsma said. “So if they know about the [whitepaper] by now I think they'll be changing their operation. Seeing as it's a source of income for them I expect they will continue doing this.”

Joomla, WordPress and Drupal users were infected with CryptoPHP when freely downloading pirated themes and plugins from websites including ‘dailynulled[dot]com' and ‘nulledstylez[dot]com,' the whitepaper indicates, adding all content on these sites contained CryptoPHP.

Researchers have only observed CryptoPHP being used for automated Blackhat SEO – techniques that generally leverage illegal tactics to improve the rank of websites by search engines such as Google and Bing; casino and gambling sites in this case – but the backdoor provides full access to the infected websites, Klijnsma said.

“The backdoor gives them full access to your server, they can do anything they want with it,” Klijnsma said. “The content altering already happens with the blackhat SEO and of course they could start serving malware with those sites as well. As for the data stealing, we have already seen that they inject JavaScript snippet into the WordPress login pages to steal the administrators' credentials as well.”

Daniel Cid, CTO of Sucuri, told in a Wednesday email correspondence that these types of threats are fairly common.

“Not only for website themes and plugins, but also for downloads of common desktop software,” Cid said. “The main take way for webmasters is that they have to be extra careful when downloading plugins and themes from the internet. They should always go to the main source and official pages to get them.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.