Reproducing Joomla, Drupal, WordPress Themes & Plugins Packaged With CryptoPHP Backdoor

Open Source Customization & Development
Attacker’s main aim is illegal search engine optimization (SEO) as they are freely distributing pirated WordPress, Drupal, Joomla themes and plugins, which are packaged with a backdoor being referred to as CryptoPHP.

Last week, WhitePaper has been released on CryptoPHP from Fox-It, and the security company also declared that various command-and-control domains had been sinkholed or taken down.

Approximately 23,693 unique IP addresses are observed by researchers connecting them to the sinkholes. According to the post, by Monday that number had decreased to 16,786.

As per the post, “These numbers are however not a clear indication, mostly because the servers connecting to our sinkholes were shared hosting with at least [one] or multiple backdoored websites. This means the actual affected websites will be higher.”

When it comes to the 23,693 connections to the sinkhole, CryptoPHP has the biggest crash in the U.S, where researchers have observed 8,657 infections. In Germany, 2,877 infections were observed and 1231 infections were observed in France. Moreover, in Netherlands 1008 infections were observed and 749 in Turkey. While in all other countries, 9171 infections were observed.

Yonathan Klijnsma, a security analyst with Fox-IT, told in a Wednesday email correspondence, though the number of connections to the sinkholes is moribund. Since the attackers are still dealing out the negotiation plugins as well as themes through their sites, the threat is still not over. He also said that the attackers, who did not name the backdoor CryptoPHP are possibly now aware that researchers have caught on and may change their strategy.

Klijnsma said, “I think by now they noticed due to domains going offline and servers being taken down (server takedown is in process, taking down physical machines is a lengthier process).” He also added, “So if they know about the [whitepaper] by now I think they'll be changing their operation. Seeing as it's a source of income for them I expect they will continue doing this.”

There are various Drupal, Joomla and WordPress users, who were infected with CryptoPHP while downloading pirated themes and plugins from websites comprising “dailynulled[dot]com” and “nulledstylez[dot]com,” the whitepaper specifies, adding all content on these sites contained CryptoPHP.

A lot of researchers have also pragmatic CryptoPHP that used for automated Blackhot SEO – technologies that influence tactics to boost the rank of websites by popular search engines like Bing and Google.

“The backdoor gives them full access to your server, they can do anything they want with it,” Klijnsma said. “The content altering already happens with the blackhat SEO and of course they could start serving malware with those sites as well. As for the data stealing, we have already seen that they inject JavaScript snatch into the WordPress login pages to steal the administrators' credentials as well.”

A CTO of Sucuri Daniel Cid told in a Wednesday email correspondence that such types of threats are very common. Cid said, “Not only for website themes and plugins, but also for downloads of common desktop software.” He also added, “The main take way for webmasters is that they have to be extra careful when downloading plugins and themes from the internet. They should always go to the main source and official pages to get them.”

To get more information on Joomla development or any other open source development service, you can hire a professional Joomla developer, who has special expertise in open source development.

More Information Regarding Joomla Development Portfolio Click here.