The attackers have now begun targeting a different file, wp-includes/js/json2.min.js, which is being modified to load a malicious Flash file.
“The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js,” researchers at Sucuri wrote in an analysis of the attack.
The SoakSoak malware campaign is targeting older versions of a popular WordPress plugin called RevSlider. Versions prior to 4.2 are being exploited, Denis Sinegubko of Sucuri said. The vulnerability in the plugin was disclosed several months ago and was discussed on underground forums.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes,” Daniel Cid of Sucuri wrote last week.
The vulnerability was patched silently by the plugin’s developers, but sites that have not been updated are still vulnerable to these kinds of attacks.