A malicious WordPress plugin that encrypts content in blog posts was found targeting a website. The plugin, known as ‘WP Security’, was analyzed by security experts at Sucuri when they were informed of a WordPress site that had the plugin installed.
It was found that WP Security encrypted posts with AES-256 encryption by using a function called ‘openssl_encrypt’. Interestingly, only the content was encrypted by the plugin with all other WordPress attributes remaining unaltered.
Sucuri researchers observed that the script initiates a connection to a domain for the encryption key.
“During our investigation, we found the script to be calling the following domain to fetch a key for the encryption and /decryption ‘hxxp://www[.]xcelvations[.]com/wpsecurity/secretkeys.php’. The website was returning a “404 page not found” response at the time, so we were unable to do any further testing or attempt to recover the key in order to decrypt the content,” wrote the researchers.
It is speculated that the site found infected with the WP Security plugin is a victim of a large attack campaign.