By CagedTech in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 1
First Seen: December 3, 2014
Last Seen: May 4, 2019
OS(es) Affected: Windows

Malware analysts have observed an alarming statistic: more than 23 thousand IP addresses link to threatening domains associated with CryptoPHP! Thousands of threatening Joomla, Drupal and WordPress themes and plug-ins may have been used to spread backdoor Trojans and corrupted scripts associated in some way with CryptoPHP. Command and Control servers associated with CryptoPHP have been linked with 23,693 unique IP addresses, indicating that CryptoPHP has become much more widespread than initially thought. Most CryptoPHP are centered in the United States.

CryptoPHP has Become a Widespread Problem in Recent Months

Research on Command and Control servers associated with CryptoPHP has revealed a high number of unique IP addresses accessing these servers in November of 2014. These numbers do not translate into compromised websites since there are probably many more because a single Web server may host multiple websites. This means that the same IP address may be used to connect to the threatening servers by various websites on the same infected server. 8,657 compromised IP addresses have occurred in the United States, with the second most affected country being Germany with 2,877 unique addresses.

There are Numerous Past Infections with CryptoPHP

Malware analysts have observed at least sixteen different versions of CryptoPHP. The first variant of CryptoPHP was detected in September of 2013. This initial infection was spread using thousands of threatening versions of themes and plug-ins for popular content management systems such as Drupal, Joomla and WordPress. There are numerous versions of CryptoPHP, the latest of which is considered version 1.0 and was first observed on November 12, 2014. Many compromised websites associated CryptoPHP may disappear for a day only to reemerge again with more recent versions of CryptoPHP. This indicates that CryptoPHP is actively updated and improved, indicating that the fight against CryptoPHP is an ongoing one.

How CryptoPHP may be Used to Attack Computer Users

CryptoPHP is used in well-known online tactics. CryptoPHP may inject links and text into websites. However, CryptoPHP may only inject this content when the visitor to the Web page is a Web crawler rather than a human visitor. Web crawlers, a feature that may be utilized by search engines to index content, are targeted in order to raise search engine placement of websites associated with CryptoPHP. Websites promoted using these types of tactics are considered unethical and are banned by search engines when found out. However, advertising and SEO may be quite profitable, meaning that many shady websites may engage in these practices in order to profit at the expense of others.

Understanding How CryptoPHP may Affect Computers

The parties responsible for CryptoPHP are based in Chisinau, located in the Republic of Moldova. One of the justifications for this supposition is an agent involved with CryptoPHP that is named 'chisijen12'. This name leads to an IP address that was in use since December of 2013. CryptoPHP has various features that may allow CryptoPHP to contact its Command and Control server. However, PC security analysts have had difficulty studying CryptoPHP's communications because CryptoPHP uses the RSA public key cryptography to communicate, meaning that statistics on what content management system software are at most risk are not available. CryptoPHP may also communicate using email and also may be controlled manually. PC security researchers strongly advise website administrators to confirm that their website has not been compromised by CryptoPHP. There are various publicly available scripts that can help with this process. If an infection is uncovered, not only should all content associated with CryptoPHP be removed, but access to the server and unwanted agents should also be banned as well.


Most Viewed