A new type of malicious WordPress plugin that encrypts blog contents has been spotted in the wild. Read on to know more about it…
A new type of malicious WordPress plugin that encrypts blog contents has been spotted in the wild. The WP plugin ironically known as ‘WP Security’ encrypts blog posts and renders the content unreadable. According to researchers, it is capable of targeting individual WordPress blog posts which is an unusual behavior. A malicious WordPress plugin that encrypts content in blog posts was found targeting a website. The website that contained this malicious plugin is believed to have been a victim of a large attack campaign.
According to analysis from Sucuri, the plugin obtains a list of all of the posts within the system and encrypts them with keys, using the AES-256-CBC encryption standard and the ‘openssl_encrypt’ function. The posts are encrypted inside the database. Interestingly, only the actual post content was encrypted by the plugin with all other WordPress attributes remaining unaltered. A log file is then generated with a list of the encrypted posts.
“This is the first time we’ve seen a plugin target specific blog posts on a website, but it’s possible that we’ll see this more often in the coming months,” Sucuri researcher Kasimir Konov said in a blog posting on Monday. “The website owner(s) complained of a newly installed and activated plugin on their website that was rendering their original content unreadable.”
The simple plugin is lightweight and stealthy. Konov said that it includes only two PHP files and a single log file. There are no controls, nor is there any obvious sign of the plugin on the dashboard once it has been activated. The researchers came across a function used by the plugin to communicate with a remote server in order to obtain the encryption key. The script inside the function used CURL to communicate with the remote server. “The result is that the theme and everything else is working as expected, but the posts display an encrypted string,” he explained.
Sucuri researchers observed that the script initiates a connection to a domain for the encryption key. As far as decryption, some of the keys are hard coded into the script, but the main key needed to decrypt the content is not available. Instead, a feature called WpEncryption obtains an encryption key from a remote website.
“During our investigation, we found the script to be calling the following domain to fetch a key for the encryption and /decryption ‘hxxp://www[.]xcelvations[.]com/wpsecurity/secretkeys.php’. The website was returning a “404 page not found” response at the time, so we were unable to do any further testing or attempt to recover the key in order to decrypt the content,” wrote the researchers.
“We believe there could be other websites involved in this campaign—in this case, the website appears to be another victim of an attack, rather than an actual malicious website or some kind of command-and-control server,” he said.
As with any cryptolocking activity, WordPress sites affected by the plugin would be able to recover the posts from a database backup. As far as how the plugin got there in the first place, adversaries could easily exploit a vulnerability in the site.
“We always encourage webmasters to update all plugins and themes along with core WordPress files,” said Konov. “It’s also highly recommended that the database password be reset, as attackers often steal login credentials to connect remotely to the database after an infection is cleaned.”