[SingCERT] CryptoPHP

Published on Friday, 28 November 2014 10:27

[ Background ]

CryptoPHP is a malware that is embedded in pirated versions of Joomla, Drupal and WordPress themes and plugins. It integrates itself into the Content Management System (CMS) when the software is installed and uses encryption to communicate with the command and control (C&C) server to execute codes. It also compromises their web servers and forces it to perform illegal search engine optimization (blackhat SEO) which is the use of unethical techniques to boost the search ranking of a website or webpage.


[ Affected Software ]

  • Joomla
  • Drupal
  • WordPress


[ Remediation ]

  • Scan your server for any possible infection. Administrators may use the script such as those published on GitHub to scan their servers for the malware.
  • Scan your network logs for any possible infection. The Indicators of Compromise (IOC) are published on here - https://github.com/fox-it/cryptophp/
  • Uninstall the malicious plugin(s) and remove all the files associated with it.
  • Check the database for any unknown administrator account(s) and remove them.
  • Reset all accounts passwords.


[ Recommendations ]

  • Do not install pirated plugins.
  • Source for an alternate, free plugin or code the function if it is required.


[ References ]

http://blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/
http://blog.fox-it.com/2014/11/26/cryptophp-a-week-later-more-than-23-000-sites-affected/
https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf