Recently a new customer came to us needing their website cleaned up after a hack, as part of the cleanup we found an interesting little malicious WordPress plugin, called “WP Security”, that was being used to encrypt blog post content. The website owner complained of a newly installed and activated plugin on their website that was rendering their original content unreadable.
The plugin encrypted posts with the ‘AES-256-CBC’ method by using the openssl_encrypt function, which made it impossible to decrypt without proper keys. This is the first time we’ve seen a plugin target specific blog posts on a website, but it’s possible that we’ll see this more often in the coming months.
The plugin was actually quite simple and includeed only two PHP files and a single log file. There are no controls for the plugin, nor were there any obvious sign of the plugin on the dashboard once it has been activated.
After a bit of digging we found that the posts were encrypted inside the database, however, only the actual post content is encrypted— everything else is untouched. The result is that the theme and everything else is working as expected, but the posts display an encrypted string.
During our investigations, we found the PHP script within the plugin was making a request to the following domain to fetch a key for the encryption and /decryption ‘hxxp://www[.]xcelvations[.]com/wpsecurity/secretkeys.php’. The website was returning a “404 page not found” response at the time, so we were unable to do any further testing or attempt to recover the key in order to decrypt the content.
We believe there could be other websites involved in this attack, that’s very similar to malware infections that encrypt a users hard drive or documents and then ask for a bitcoin ransom. Ihis case, the website appears to be another victim of an attack, rather than an actual malicious website or some kind of CnC (Command and Control) server.
For this particular incident, we couldn’t decode the posts due to the strong encoding algorithm used, however, we were able to recover them from a database backup.
This demonstrates how malicious plugins can be added to a website and wreak havoc, especially if backups are unavailable. We always recommend that website owners backup files and databases.
After this kind of attack, we always encourage website owners to update all plugins and themes along with core WordPress files and check for any unidentified plugins or users on a regular basis. It’s also highly recommended that the database password be reset, as attackers often steal login credentials to connect remotely to the database after an infection is cleaned.