Home / Blog
CryptPHP Malware - PHP Scripts Attack

The purpose of this Blog is to inform you about the new Virus / Malware Attack on PHP Scripts of Content Management Systems.

CryptoPHP: Analysis of a hidden threat inside popular CMS

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular Content Management Systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IPís
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

Fox IT Security have identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the November 2014.
Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014.

Kindly avoid using the nulled wordpress themes / templates / Plugins. Remove All the UN-necessory Scripts installed in your Websites. This infection almost certainly means that the infected web site has used pirated plugins from the nulledstylez.com, dailynulled.com sites or some other site that specializes in providing "nulled" (pirated) software.

Read all the details in the whitepaper: CryptoPHP-Whitepaper-FoxSRT

If you have any question or need consultation, please do not hesitate to contact us at: support@yi.com.pk