CryptoPHP: Thousands of CMS Themes and plugins have Backdoor
CryptoPHP: Thousands of CMS Themes and plugins have Backdoor, all about CryptoPHP, CryptoPHP Offers Free CMS Plug-ins that Hide Backdoors, Nulled Scripts & CryptoPHP Infection, CryptoPHP: Infected WordPress Sites, CryptoPHP: Analysis of a hidden threat inside popular, WordPress Security, WordPress hacked,
Many of the developer use the pirated version of the themes for the website but is this a good practice. Here, answer is simply NO.
"By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server," - Fox-IT researcher says on research paper.When this pirated theme is installed on the respective CMS server the backdoor (CryptoPHP) also gives the access to the particular site. Attacker (hacker) controlled backdoor with various technique like command and control server (C&C) communication, email communication and manual control as well.
Features of CryptoPHP backdoor
The CryptoPHP backdoor has a few features that made it stand out for us. It lacked the usual attack vectors we normally see with web based backdoors, it social engineers website administrators to install itself through the use of popular free plug-ins, themes and extensions. CryptoPHP contains the following features:
- It uses the framework of the CMS to function
- It uses the database of the CMS to store information
- It uses public key encryption for anything transferred from and to the C2 servers
- Utilizes a large amount of C2 servers (rather than a single one)
- Older versions contain a backup mechanism against takedowns, in the form of email communication
- Supports manual control (other than the automated C2 communication)
- Can update C2 servers remotely
- Ability to update itself
- Inject content into the webpages
- Code execution
Why They are Doing this?
For every attack or thing there is a reasons behind it, and same for this also. Cyber Criminals or Miscreants uses CryptoPHP backdoor for illegal Search Engine Optimization (SEO), which is also known as Black Hat SEO. This also gives the backlinks to the attacker site which is one of the important factor for ranking results.
Black Hat SEO is a technique which helps the site to rank first on the search engine results and this is done by violating search engine guideline. Webmaster (attacker) can violates search engine guidelines by hacking sites for backlinks, inserting iframe link attribute, inserting unrelated keywords etc..
Fox-IT mention that they have found 16 variants of the CryptoPHP backdoor and was first dicovered on 25th September 2013, and they claims that there are thousands of affected sites or even more.
We also recommend our all users not to use the nulled or pirated version of the themes and also asked to check all the plugins and theme source code on a routinely. It is also a good practice to check all the external going out from your sites.