Google Blacklists WordPress Sites Peddling SoakSoak Malware

Up to 100,000 sites hosted on WordPress may be vulnerable to new campaign that’s pushing malware and multiple exploit kits to the browser.

UPDATE Google blacklisted more than 10,000 different websites over the weekend that it spotted doling out SoakSoak malware, but experts claim the number of impacted sites may ultimately be ten times that figure.

Up to 100,000 sites hosted on WordPress may be vulnerable to a campaign known as SoakSoak, according to web security firm Sucuri, which warned about the malware in a blog post yesterday.

Daniel Cid, Sucuri’s CTO and founder, told Threatpost Monday morning that he’s seen the campaign targeting WordPress users running Internet Explorer on Windows and that it’s pushing multiple exploit kits to the browser.

The site the campaign was pulling malware from – a Russian domain – is currently offline, suggesting that the malware may have caught on faster than its creators expected.

“The good news is that the site was down for many hours yesterday and seems to be overloaded right now,” Cid said, “I guess they infected more sites than what they were expecting.”

The malware is modifying a file in WordPress, wp-includes/template-loader.php, that makes it so a JavaScript file, wp-includes/js/swobject.js, can be loaded onto every page on the site. After its decoded, it loads malware from the aforementioned Russian domain.

Cid  acknowledged that versions of WordPress that use older versions of a popular slideshow plugin, “Slider Revolution” a/k/a RevSlider, are vulnerable to SoakSoak. Specifically, all versions of the plugin prior to 4.1.4 are at risk.

In September, a vulnerability in version 4.1.4 of the plugin was discovered that could allow an attacker to download any file, including database credentials, from the affected site’s server. ThemePunch, the company behind the slider, actually fixed the issue in 4.2 but users who had the slider installed as part of a bundled theme never received the update.  The plugin’s instability is often directly linked to the way its is wrapped into theme packages. RevSlider’s automatic update mechanism is usually disabled when it comes as part of a theme, leaving it up to the webmaster to update it accordingly.

“Many users don’t even know they have this plugin because it comes bundled with many themes, explaining why a lot of sites are still not patched,” Cid said.

Tony Perez, another researcher with the firm, couldn’t confirm the exact vector yesterday in a write-up of the malware but did state that a preliminary analysis showed a correlation between SoakSoak and RevSlider.

There are more than 70 million sites that run on WordPress and RevSlider is one of the content management system’s most popular plugins so it’s difficult to know exactly how many and what kind of sites may have been hit by the malware.

It does appears that Dulfy.net, a site that provides guides for popular MMORP games like Guild Wars 2 and Star Wars: The Old Republic was one site that was infected by the malware over the weekend.

“We have identified and removed the hacked files. The site should be okay now,” a Dulgy spokeperson said on Reddit Monday however.

A Google Safe Browsing diagnostic page claims the site is fine now but was cited for suspicious activity in the past. In this case, as of yesterday “667 pages resulted in malicious software being downloaded and installed without user consent.”

Cid is encouraging users to remove revslider or update it to the latest version as soon as possible, clean the admin user list from the database to prevent reinfections, and to re-install WordPress to replace the infected files.

Update: 12/16 – ThemePunch, the developers behind RevSlider contacted Threatpost to clarify that versions of the plugin after 4.1.4, from February on, are safe. “The nature of plugins bundled in themes however caused a lot of older plugin versions to linger around on the web and providing a window for malicious attacks,” a spokesman from ThemePunch said. Cid, when reached Tuesday, corroborated these reports.

Suggested articles

Discussion

  • BALYAN on

    thanks
  • Fahrenheit on

    I've seen 3 infections occur on sites running the popular WP theme, Salient. The injection occurs in /wp-includes/js/json2.min.js and can be identified by eval(decodeURIComponent . . .
    • David on

      I'm currently using the theme Salient & been a victim of the SoakSoak Malware. Is there instructions of removal?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.