Trojan Threatens Owners of Drupal, WordPress and Joomla Sites

Fox-IT, a security vendor located in Netherlands, says that cyber crooks are running a blackhat SEO (search engine operation) operation which is threatening website owners using Joomla, Drupal and WordPress with a secret backdoor Trojan that links to the underlying web server in support of their operations.

The attackers are tricking administrators of website to install their malware-laden, pirated and other plug-ins for free. As per Fox-IT, cybercriminals can institute control of the server when a malware nicknamed 'CryptoPHP' is dropped on the server.

Fox-IT warns that CryptoPHP has compromised thousands of websites. The threat is so named as it uses RSA Public Key cryptography to protect communication with servers. Several sources have been associated with spread of the backdoor known as nulledstylez.com but many other websites like wp-nulled.com, mightywordpress.com and freemiumscripts.com are dealing in copied illegally plugins and themes.

The site has flagged each downloads subject to it being virus free but Fox-It points out that the versions made available for download varied in that they had been verified as virus free by VirusTotal. The pirated downloads have been re-checked and it has been found that files with different timestamps comprise the backdoor concealed in PHP code.

The researchers have found the attack to an IP address in Maldova and the C2 servers are located in Germany, United States, Poland and the Netherlands.

Threatpost.com reported on 20th November, 2014 quoting Fox-IT as saying "We have recognized thousands of backdoored plug-ins and themes comprising 16 editions of CryptoPHP as on 12th November, 2014. Their first ever version became live on 25th September, 2013 which was version 0.1 and they are presently on version 1.0a which was first released on 12th November, 2014. We cannot get the exact number of sites affected but we can approximate that at the most few thousand sites have been hijacked by CryptoPHP."

Fox-IT published two Python scripts to detect CryptoPHP on servers and provided instructions about removing the malware. Cleaning the website takes not just getting rid of the tainted scripts but also shrieking off any additional administrator accounts and resetting the details of the log-in.

» SPAMfighter News - 12/9/2014