A malicious WordPress plugin ironically called WP Security has been spotted in the wild encrypting blog posts and rendering the content unreadable. It’s capable of targeting individual posts — an unusual behavior, according to researchers.
According to analysis from Sucuri, the plugin obtains a list of all of the posts within the system and encrypts them with keys, using the AES-256-CBC encryption standard and the openssl_encrypt function. The posts are encrypted inside the database. Only the actual post content is encrypted and everything else related to the site is untouched. A log file is then generated with a list of the encrypted posts.
“This is the first time we’ve seen a plugin target specific blog posts on a website, but it’s possible that we’ll see this more often in the coming months,” Sucuri researcher Kasimir Konov said in a blog posting on Monday. “The website owner(s) complained of a newly installed and activated plugin on their website that was rendering their original content unreadable.”
The simple plugin is lightweight and stealthy. Konov said that it includes only two PHP files and a single log file. There are no controls, nor is there any obvious sign of the plugin on the dashboard once it has been activated.
“The result is that the theme and everything else is working as expected, but the posts display an encrypted string,” he explained.
As far as decryption, some of the keys are hard coded into the script, but the main key needed to decrypt the content is not available. Instead, a feature called WpEncryption obtains an encryption key from a remote website.
At the time of Sucuri’s investigation, that domain was returning a 404 error, thwarting further testing. But Konov believes the remote domain to be a proxy.
“We believe there could be other websites involved in this campaign—in this case, the website appears to be another victim of an attack, rather than an actual malicious website or some kind of command-and-control server,” he said.
As with any cryptolocking activity, WordPress sites affected by the plugin would be able to recover the posts from a database backup. As far as how the plugin got there in the first place, adversaries could easily exploit a vulnerability in the site.
“We always encourage webmasters to update all plugins and themes along with core WordPress files,” said Konov. “It’s also highly recommended that the database password be reset, as attackers often steal login credentials to connect remotely to the database after an infection is cleaned.”
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.