CryptoPHP has a sting in the tail
Attackers are using legitimate looking sites to tempt webmasters into downloading software that creates a backdoor on their web servers. This new threat has been called CryptoPHP and was detailed in a blog post published by Fox-IT. It affects Joomla, Drupal and WordPress content management systems. CryptoPHP looks to have been around since September 2013. It uses legitimate looking sites to fool developers into downloading various infected WordPress themes and plugins containing the backdoor.
CryptoPHP aims to infect web servers on a large scale; its main purpose is to use Black Hat SEO techniques to artificially boost search engines listings. This is done with various techniques including using invisible text and doorway pages. Keyword stuffing is also used. Using these types of Black Hat SEO methods is often done with the purpose of setting up scam pages.
Once installed, the backdoor can communicate with a command and control server using encrypted communications, making CryptoPHP difficult to detect from normal network traffic. The malware also contains a list of command and control server names; if these domains are taken down or blocked, the malware can switch to email for communications. The malware can look for updates and download them.
According to the report, sixteen different versions of the malware have been identified; the first version was released on September 25. 2013. The report also states that “by publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.”