Fox-IT, a Netherlands based Security firm has published a whitepaper revealing a new Backdoor named "CryptoPHP". Security researchers have disclosed malicious plugins and themes for famous CMS like Wordpress, Joomla and Drupal. However there is a slight relief for Drupal users that only themes are found to be infected from this backdoor. These backdoored plugins and themes are used to compromise web servers.

According to the report, the site administrators are often lured to download pirated themes and plugins without paying for them. This way the bad actors are social engineering a site admin into installation of the included backdoor on their server.

The backdoor is designed to control with various options such as command and control server communication, mail communication and manual control.

Currently, the things that came out from research is that bad actors are using CryptoPHP backdoor for illegal Search Engine Optimization (SEO) also known as Black Hat SEO. The code of backdoor is very dynamic in its use.

The capabilities of the CryptoPHP backdoor include:

Integration into popular content management systems like WordPress, Drupal and Joomla

Public key encryption for communication between the compromised server and the command and control (C2) server

An extensive infrastructure in terms of C2 domains and IP's

Backup mechanisms in place against C2 domain takedowns in the form of email communication

Manual control of the backdoor besides the C2 communication

Remote updating of the list of C2 servers

Ability to update itself

According to Fox-IT, there have been thousands of backdoored plugins and themes which contain 16 variants of CryptoPHP Backdoor as of 12th November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. The exact number of websites affected due to this CryptoPHP Backdoor is undetermined , but the firm estimates that at least a few thousand websites are compromised.

A majority of the C&C servers used by the threat are located in the Netherlands (40%), Germany (40%), and the United States (18%).