SoakSoak Malware Compromise

Google blacklisted more than 10,000 different websites over the weekend that it spotted doling out SoakSoak malware, but experts claim the number of impacted sites may ultimately be ten times that figure.

Up to 100,000 sites hosted on WordPress may be vulnerable to a campaign known as SoakSoak, according to web security firm Sucuri, which warned about the malware in a blog post yesterday.

Daniel Cid, Sucuri’s CTO and founder, told Threatpost Monday morning that he’s seen the campaign targeting WordPress users running Internet Explorer on Windows and that it’s pushing multiple exploit kits to the browser.

The site the campaign was pulling malware from – a Russian domain – is currently offline, suggesting that the malware may have caught on faster than its creators expected.

“The good news is that the site was down for many hours yesterday and seems to be overloaded right now,” Cid said, “I guess they infected more sites than what they were expecting.”

The malware is modifying a file in WordPress, wp-includes/template-loader.php, that makes it so a JavaScript file, wp-includes/js/swobject.js, can be loaded onto every page on the site. After its decoded, it loads malware from the aforementioned Russian domain.

Cid acknowledged that versions of WordPress that use older versions of a popular slideshow plugin, “Slider Revolution” a/k/a RevSlider, are vulnerable to SoakSoak. Specifically, all versions of the plugin prior to 4.1.4 are at risk.

“Many users don’t even know they have this plugin because it comes bundled with many themes, explaining why a lot of sites are still not patched,” Cid said.

Tony Perez, another researcher with the firm, couldn’t confirm the exact vector yesterday in a write-up of the malware but did state that a preliminary analysis showed a correlation between SoakSoak and RevSlider.

There are more than 70 million sites that run on WordPress and RevSlider is one of the content management system’s most popular plugins so it’s difficult to know exactly how many and what kind of sites may have been hit by the malware.

It does appears that, a site that provides guides for popular MMORP games like Guild Wars 2 and Star Wars: The Old Republic was one site that was infected by the malware over the weekend.

– See more at: