The attackers behind the SoakSoak malware campaign are continuing to modify their tactics and have infected a new group of Web sites. The Javascript code that the attackers target with the malware has also changed.
Last week, Google took the step of blacklisting thousands of sites that had been infected by SoakSoak. The malware is targeting WordPress sites and the attackers can inject their malicious code into various Javascript files. Originally, the attackers were targeting wp-includes/template-loader.php, and once the file is modified, the attackers’ Javascript can appear on every page on an infected site. That code will then download malware from a remote domain.
The attackers have now begun targeting a different file, wp-includes/js/json2.min.js, which is being modified to load a malicious Flash file.
“The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js,” researchers at Sucuri wrote in an analysis of the attack.
The SoakSoak malware campaign is targeting older versions of a popular WordPress plugin called RevSlider. Versions prior to 4.2 are being exploited, Denis Sinegubko of Sucuri said. The vulnerability in the plugin was disclosed several months ago and was discussed on underground forums.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes,” Daniel Cid of Sucuri wrote last week.
The vulnerability was patched silently by the plugin’s developers, but sites that have not been updated are still vulnerable to these kinds of attacks.