A Backdoor mechanism for distribution of thousands of pirate themes and plug-ins for Joomla, WordPress, and Drupal CMSs has been recently spotted in the wild. Developers have found that CryptoPHP hacker operators have used it to break into C&C (control and command) servers and infect more than 23,000 of IP addresses with the threat.
Information on the scope of the threat is being gathered by the FOX IT security company in cooperation with the Swiss security blog Abuse.ch, Shadowserver /https://www.shadowserver.org/wiki/, and Spamhaus organization. After analyzing the most active servers, researchers noticed that the IP addresses which are contacting them lessen, the number reaching 16,786 on November, 24th.
One should have in mind that the information may not be quite correct though. The web servers affected may host various websites, as well as malware, and can infect several Internet pages of a website that actually could make their number bigger.
The analysis shows that most of the infected addresses are in the United States, knowing about 8,657 infected IPs so far. The next place, with much lesser infections though, is Germany with 2877 IPs.
Backdoor Variants and Techniques
About 16 various versions of CryptoPHP, spreading pirate themes and plug-ins for content management systems have been spotted by Fox IT so far. The first one dates back to September, 2013 and the latest is CryptoPHP 1.0, found on 12th November this year. A very interesting thing happened last Sunday (23rd November) – many of the malice-spreading sites disappeared, only to appear back on Monday (24th November), containing the new version of the malware. They are still being active today.
In a report on the subject Fox IT state that CryptoPHP uses a technique, resembling the one search engines use to index content. The malware detects if the visitor of the page is a web crawler and injects a link or a text into the pages affected, using the Blackhat SEO malware.
The Blackhat SEO (Search Engine Optimization) is a technique that is being usually used to increase a website rank, bypassing the legitimate search engines rules. Being in breach of the best search engine practices may lead to banning of the website, using the Blackhat SEO.
Who Is It?
Researchers think that the person, standing behind this attack is based in Chisinau, Moldova’s capital. This stands on the fact that a username ” chishijen12″ has been found, its IP being based in Moldova and being active since December, 2013. The user may be hiding behind VPN or a proxy, of course.
It is also known that the malware uses a public RSA security key for encrypting the communication between the victim and the control & command server. If the server is taken down, the communication continues via email. If that is shut down as well, Backdoor can be manually controlled without needing C&C server.
Fox IT have created two Python scripts for users to determine whether they have Backdoor. Both of them are uploaded on the file sharing platform GitHub. One of them is for determining whether you have the threat, the other to scan all your files. They include removing additional administrative accounts and removing obsolete certificates.
Although these methods should be enough, researchers recommend using a clean CMS copy, just to make sure you don’t have a Backdoor.