Malicious WordPress plugin encrypts blog post content

• The plugin was found to encrypt posts with AES-256-CBC using an ‘openssl-encrypt’ function.
• The website that contained this malicious plugin is believed to have been a victim of a large attack campaign.

A malicious WordPress plugin that encrypts content in blog posts was found targeting a website. The plugin, known as ‘WP Security’, was analyzed by security experts at Sucuri when they were informed of a WordPress site that had the plugin installed.

It was found that WP Security encrypted posts with AES-256 encryption by using a function called ‘openssl_encrypt’. Interestingly, only the content was encrypted by the plugin with all other WordPress attributes remaining unaltered.

Key highlights

• The plugin contained two PHP files and a log file. Sucuri researchers found that the plugin did not show up on the WordPress dashboard.
• Only the blog content was encrypted by the plugin. The posts were encrypted inside the site’s database.
• The researchers came across a function used by the plugin to communicate with a remote server in order to obtain the encryption key.
• The script inside the function used CURL to communicate with the remote server.
• WP Security plugin searched for all posts in the site and encrypted them. A log file generated by it contained the encrypted posts.

Worth noting

Sucuri researchers observed that the script initiates a connection to a domain for the encryption key.

“During our investigation, we found the script to be calling the following domain to fetch a key for the encryption and /decryption ‘hxxp://www[.]xcelvations[.]com/wpsecurity/secretkeys.php’. The website was returning a “404 page not found” response at the time, so we were unable to do any further testing or attempt to recover the key in order to decrypt the content,” wrote the researchers.

It is speculated that the site found infected with the WP Security plugin is a victim of a large attack campaign.