Jump to content
Aerosol

CryptoPHP - Analysis Of A Hidden Threat Inside Popular Content Management Systems

By Aerosol, in Securitate web

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

CONTENTS
Introduction 4
Executive summary 4
1 The initial incident 5
2 Analysis 6
2.1 Plug-in ................................................................................................................................................ 6
2.2 Origin.................................................................................................................................................. 9
2.3 Features............................................................................................................................................ 11
2.4 Setup ................................................................................................................................................ 11
2.5 CMS integration................................................................................................................................ 13
2.6 Crypto and Communication ............................................................................................................. 15
2.7 Manual Control ................................................................................................................................ 17
2.8 Configuration.................................................................................................................................... 18
2.9 Backup communication.................................................................................................................... 19
2.10 Purpose: Blackhat SEO ..................................................................................................................... 20
2.11 Possible author................................................................................................................................. 22
3 Infrastructure 23
3.1 Spreading.......................................................................................................................................... 23
3.2 Command and control servers......................................................................................................... 24
4 Checking for CryptoPHP in plug-ins and themes 26
4.1.1 WordPress......................................................................................................................... 26
4.1.2 Joomla ............................................................................................................................... 27
4.1.3 Drupal................................................................................................................................ 27
5 Appendix: Indicators of Compromise 28
5.1 Network detection ........................................................................................................................... 28
5.2 File hashes........................................................................................................................................ 29
5.3 Command and Control servers......................................................................................................... 30
5.3.1 Version 0.1......................................................................................................................... 30
5.3.2 Version 0.1 (other variant) ................................................................................................ 30
5.3.3 Version 0.2, 0.2x1, 0.2x2, 0.2b3, 0x2x4, 0.2x9, 0.3, 0.3x1................................................. 35
5.3.4 Version 1.0, 1.0a................................................................................................................ 39
5.4 Backup communication email addresses......................................................................................... 42
5.4.1 Version 0.1......................................................................................................................... 42
5.4.2 Version 0.1 (other variant) ................................................................................................ 42
5.4.3 Version 0.2, 0.2x1, 0.2x2, 0.2b3, 0.2x4, 0.2x9, 0.3 ............................................................ 42
5.4.4 Version 1.0, 1.0a................................................................................................................ 50

Read more: http://dl.packetstormsecurity.net/papers/evaluation/cryptophp-whitepaper-foxsrt-v4.pdf

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...