Attackers change tactics to keep the campaign active

Dec 24, 2014 07:58 GMT  ·  By

The SoakSoak campaign against more than 100,000 WordPress websites running a vulnerable version of the Slider Revolution (RevSlider) plug-in has changed its tune as security researchers observed that a new wave of infections has been initiated on Sunday.

The name of the attack comes from the name of the website that delivers the payload, soaksoak.ru. According to the analysis from Sucuri performed when the threat wave was detected initially, the RevSlider glitch allowed the malicious actors to make changes to the “wp-includes/template-loader.php.”

It would be altered to include code that loaded specific JavaScript (“wp-includes/js/swfobject.js”) on every page visited on the website; the next step of the infection was to load the JavaScript malware from the Russian website.

The plan is the same, only the files changed

A later analysis of the payload revealed that the cybercriminals do not always rely on soaksoak.ru, which has been blocked by Google to retrieve the malware.

A variation has been observed, in the sense that “swfobject.js” does not contact the website but instead creates a Flash object with the “wp-includes/js/swfobjct.swf” file.

Its purpose is to obfuscate some JavaScript in Mozilla Firefox and Internet Explorer 11, the researchers found; at the time of the analysis, the Flash object, deemed 100% malicious by Sucuri, was not detected by any antivirus engine on VirusTotal.

In the latest wave of attack, the same “swfobjct.swf” is used, but the file creating it is a different one, “wp-includes/js/json2.min.js.” A more elaborate code is used and another script from a different website is loaded.

“The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js,” Denis Sinegubko of Sucuri says in a blog post.

RevSlider should be updated to the latest version

Because the latest update for RevSlider plug-in for WordPress has not been properly promoted by the developers, many users are still relying on vulnerable versions. More than this, an older build of the plug-in is generally included in theme packages, increasing the number of potential victims.

Patching the component was done silently by its creators, who delivered the update only to customers that purchased the product directly from their website. All the other users had to make the move to the new version manually, if they learned about the new file.

Sucuri says that attempts to locate old versions of RevSlider (earlier than 4.2) have been recorded by their systems.

When the SoakSoak malicious campaign was detected, Google automatically blacklisted over 11,000 websites that had been infected with the malware.

SoakSoak campaign (5 Images)

Malicious code in json2.min
Access to SoakSoak.ru has been blocked by GoogleSucuri's website scanner detects if the site is infected
+2more