Most of the command-and-control domains had been sinkholed or taken down, and researchers observed 23,693 unique IP addresses connecting to the sinkholes.
Most of the command-and-control domains had been sinkholed or taken down, and researchers observed 23,693 unique IP addresses connecting to the sinkholes.

Illegal search engine optimization (SEO) is the goal of attackers who are freely distributing pirated Joomla, WordPress and Drupal themes and plugins that are packaged with a backdoor being referred to as CryptoPHP.

Last week Fox-It released a whitepaper on CryptoPHP, and in a Wednesday post the security company revealed that most of the command-and-control domains had been sinkholed or taken down.

Researchers observed 23,693 unique IP addresses connecting to the sinkholes, but by Monday that number had dipped to 16,786, according to the post.

“These numbers are however not a clear indication, mostly because the servers connecting to our sinkholes were shared hosting with at least [one] or multiple backdoored websites,” according to the post. “This means the actual affected websites will be higher.”

Looking at the 23,693 connections to the sinkhole, CryptoPHP had the greatest impact in the U.S., where researchers observed 8,657 infections. 2,877 infections were observed in Germany, 1,231 infections were observed in France, 1,008 infections were observed in the Netherlands, and 749 infections were observed in Turkey. 9,171 infections were observed in all other countries combined.

Although the number of connections to the sinkholes is declining, Yonathan Klijnsma, a security analyst with Fox-IT, told SCMagazine.com in a Wednesday email correspondence that the threat is not over since the attackers are still distributing the compromised plugins and themes via their websites. He added that the attackers – who did not name the backdoor CryptoPHP – are now probably aware that researchers have caught on and may change their strategy.

“I think by now they noticed due to domains going offline and servers being taken down (server takedown is in process, taking down physical machines is a lengthier process),” Klijnsma said. “So if they know about the [whitepaper] by now I think they'll be changing their operation. Seeing as it's a source of income for them I expect they will continue doing this.”