CryptoPHP – Analysis of a hidden threat inside popular content management system


While attacks using vulnerabilities on commonly used content management systems are a real threat to website owners not keeping up with updates, a new threat has been going around. Website owners are social engineered to unknowingly install a backdoor on their webserver. This threat has been dubbed “CryptoPHP” by Fox-IT’s Security Research Team and has been first detected in 2013.


CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanism in place against C2 domain takedowns by using email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the C2 server list
  • Ability to update itself

We’ve identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. We cannot determine the exact number of affected websites but we estimate that, at least a few thousand websites are compromised by CryptoPHP.

Tweet about this on TwitterShare on Facebook0Share on LinkedIn0Share on Google+0Pin on Pinterest0