CryptoPHP: Thousands of CMS Themes and plugins have Backdoor

CryptoPHP: Thousands of CMS Themes and plugins have Backdoor, all about CryptoPHP, CryptoPHP Offers Free CMS Plug-ins that Hide Backdoors, Nulled Scripts & CryptoPHP Infection, CryptoPHP: Infected WordPress Sites, CryptoPHP: Analysis of a hidden threat inside popular, WordPress Security, WordPress hacked,

Admin

November 24, 2014

CryptoPHP: Thousands of CMS Themes and plugins have Backdoor, all about CryptoPHP, CryptoPHP Offers Free CMS Plug-ins that Hide Backdoors, Nulled Scripts & CryptoPHP Infection, CryptoPHP: Infected WordPress Sites, CryptoPHP: Analysis of a hidden threat inside popular, WordPress Security, WordPress hacked,

In today's world every small business house have their own websites and also many users includes Politician, Journalist, high profiled person and even there are many users who own their personal websites. There are many few of them who use their own custom CMS (Content Management System) for websites and majority of then uses the popular opensource CMS - WordPress, Joomla and Durpal.

Many of the developer use the pirated version of the themes for the website but is this a good practice. Here, answer is simply NO.

A Netherlands based security firm Fox-IT have published a researcher paper which reveals they have discovered a backdoor on the thousand of the themes, plugins in the pirated version of the popular CMS themes. The themes which is downloaded from the sites which offer Paid themes for free (Pirated version) contains a backdoor dubbed as "CryptoPHP". The backdoor is present on themes as well as on many plugins also.

"By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server," - Fox-IT researcher says on research paper.

When this pirated theme is installed on the respective CMS server the backdoor (CryptoPHP) also gives the access to the particular site. Attacker (hacker) controlled backdoor with various technique like command and control server (C&C) communication, email communication and manual control as well.

Features of CryptoPHP backdoor
The CryptoPHP backdoor has a few features that made it stand out for us. It lacked the usual attack vectors we normally see with web based backdoors, it social engineers website administrators to install itself through the use of popular free plug-ins, themes and extensions. CryptoPHP contains the following features:

It uses the framework of the CMS to function
It uses the database of the CMS to store information
It uses public key encryption for anything transferred from and to the C2 servers
Utilizes a large amount of C2 servers (rather than a single one)
Older versions contain a backup mechanism against takedowns, in the form of email communication
Supports manual control (other than the automated C2 communication)
Can update C2 servers remotely
Ability to update itself
Inject content into the webpages
Code execution

Why They are Doing this?

For every attack or thing there is a reasons behind it, and same for this also. Cyber Criminals or Miscreants uses CryptoPHP backdoor for illegal Search Engine Optimization (SEO), which is also known as Black Hat SEO. This also gives the backlinks to the attacker site which is one of the important factor for ranking results.

Black Hat SEO is a technique which helps the site to rank first on the search engine results and this is done by violating search engine guideline. Webmaster (attacker) can violates search engine guidelines by hacking sites for backlinks, inserting iframe link attribute, inserting unrelated keywords etc..

Fox-IT mention that they have found 16 variants of the CryptoPHP backdoor and was first dicovered on 25th September 2013, and they claims that there are thousands of affected sites or even more.

We also recommend our all users not to use the nulled or pirated version of the themes and also asked to check all the plugins and theme source code on a routinely. It is also a good practice to check all the external going out from your sites.