Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.
The incident came to light through an investigation by researchers at Fox-IT in the Netherlands, who discovered it after noticing a compromised Joomla plug-in on a customer’s site. After a little investigation, they discovered that the plug-in had been downloaded from a site that offers a list of pirated themes and plug-ins.
“It didn’t come from the original publisher (Joomla Service Provider) but rather from a third party website claiming to be ‘the’ place for ‘nulled’ scripts. The concept of nulled scripts is similar to pirated software; stripped of any licensing checks, in short this is piracy,” Fox-IT said in a detailed research paper on the attack.
“While investigating the ‘nulledstylez.com’ website we found that every pirated plug-in, theme and extension contained the same backdoor. While making a mirror of all the content published on the website we found some ZIP files with a similar comment as the one from the initial incident but referring to a different domain. This website ‘dailynulled.com’ was similar to the ‘nulledstylez.com’ one in that it also published pirated themes and plug-ins for WordPress, Joomla and Drupal. All these websites publish similar content, these plug-ins are available from multiple websites. Which are managed by the same actors. All content provided by these websites is backdoored with CryptoPHP.”
CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.
But the main purpose of the malware is to conduct blackhat SEO operations. The goal of these campaigns is to jack up the rank of sites controlled by the attackers, or their customers, which helps them look legitimate. This is done sometimes for gambling sites or similar sites and can also be tied to other scams.
“We’ve observed that the eval and echo functionalities are being used to inject links and text into the webpages of the compromised server. The content is only injected when the visitor resembles a web crawler based on the user agent and/or hostname,” Fox-IT said. “The crawlers now think these compromised websites are linking to the injected ones; these injected websites will gain backlinks and thus page rank.”
The researchers have traced the attack to an IP address in Moldova, and the C2 servers are located in the Netherlands, Germany, Poland and the United States. Fox-IT said that they have identified thousands of plug-ins that have been backdoored, including both WordPress and Joomla plug-ins and themes and Drupal themes.
“We’ve identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. We cannot determine the exact number of affected websites but we estimate that, at least a few thousand websites are compromised by CryptoPHP,” Fox-IT said in a blog post on the attack.