Thousands of WordPress, Joomla and Drupal plugins have been discovered that contained a “gateway” that would allow access without user’s knowledge. By accessing fake websites that resembled the original ones, the Internet user actually downloaded and installed files with malware on his site. The mass scale proceeding probably lasted from September 2013.
The incident came to light accidentally. A Dutch internet company discovered a suspicious Joomla plugin on one of its customers’ websites. It shared a report that you can review here. The source of the installation led to a site with a list of pirated themes and plugins. None of them came from the original publisher (Joomla Service Provider). Each of them was described as “nulled” – the removed “callback” allowed to bypass the control of the legality of the add-on. While more thoroughly viewing all the content published on the pirate site, it turned out that each plugin, theme and extension contained the same vulnerability created for later use.
The script was named “CryptoPHP”. The purpose of malware is to engage in Black-Hat SEO by injecting links that refer to other web addresses into the content of unsuspecting owner’s sites. The RSA encryption protects communication with C2 servers. So this is a classic botnet. The attacker has a lot of possibilities – our site can be used in any way. From sending spam, through distribution of malware, displaying your own ads to redirecting our users to other websites. The script has an option to update. Several versions have been identified – the first of them (0.1) was introduced on September 25, 2013. Version 1.0 was released on November 12. The attack was connected with the Moldovan IP, while the C2 servers are located in the Netherlands, Germany, the United States and Poland.
Websites threatened with scripts are estimated at at least several thousand. If you installed plugins from an unreliable source, the problem is likely to affect you. The only effective solution is to reinstall everything from scratch without any infected plugins.