A large proportion of websites are built on a CMS rather than raw HTML. Three of the most common are WordPress, Joomla and Drupal, and security researchers at Fox-It warn that site administrators are at risk of being socially engineered into installing the CryptoPHP backdoor on their server.
Distributed through pirated themes and plugins, CryptoPHP’s spread is thanks to the light-fingeredness of site admins. It was first detected in 2013 and is still actively spreading. The capabilities of the “well developed” backdoor include remote control of an infected server, and Blackhat SEO — a form of illegal search engine optimization.
We found the following list of 20 websites being used to distribute the CryptoPHP backdoor:anythingforwp.comawesome4wp.combestnulledscripts.comdailynulled.comfreeforwp.comfreemiumscripts.comgetnulledscripts.comizplace.commightywordpress.comnulledirectory.comnulledlistings.comnullednet.comnulledstylez.comnulledwp.comnullit.nettopnulledownload.comwebsitesdesignaffordable.comwp-nulled.comyoctotemplates.comThe following websites host theactual plug-in and theme files used for direct download:bulkyfiles.comlinkzquickz.com
Fox-It warns that thousands of websites have been compromised by CryptoPHP. The threat is so named because it uses RSA Public Key cryptography to protect communication with servers. A number of sources have been associated with the spread of the backdoor, which is nulledstylez.com, but numerous other sites dealing in pirated plugins and themes that are involved — including freemiumscripts.com, wp-nulled.com and mightywordpress.com.
Each of the downloads was flagged by the site providing it as being clean from viruses, but Fox-It points out that the versions made available for download differed in that they had been verified as clean by VirusTotal. Upon examining the contents of the pirated downloads, files with different timestamps to the rest were found to include the backdoor hidden in PHP code.
While there is little to stop CryptoPHP infecting other CMSs, WordPress, Joomla and Drupal are the main targets due to their popularity. The backdoor installation varies from platform to platform, but in the case of WordPress an extra administrator account is added so that access can be maintained even if the backdoor itself is removed.
Tracing the activity of CryptoPHP seems to lead back to a Moldavian IP address — specifically in the state Chisinau. Control centers have been identified in the US, Poland, Germany and Netherlands, and Fox-It has produced a white paper that details how to detect the presence of the backdoor.