Sucuri disclosed a large malware campaign targeting and compromising over 100,000 WordPress sites, and growing by the hour. It was named SoakSoak due to the first domain used in the malware redirection path (soaksoak.ru).
According to Sucuri, the malware uses a vulnerability in a slideshow plug-in called Slider Revolution. The Slider Revolution team has known about the vulnerability since September, but it looks like they failed to fix it before the security hole got crammed with steaming hot malware.
The Attack Sequence
We have investigated thousands of compromised sites with this injection and based on the logs, we are able to confirm the exact attack vector being targeted.
- Discovery: There appears to be an initial reconnaissance scan occurring where the attacker[s] are looking to see if the file exists.
- Exploit:If the discovery phase is successful and they find a site using Revslider, they use a second vulnerability in Revslider and attempt to upload a malicious theme to the site:
- Take over: If the exploit is successful, they inject the popular Filesman backdoor into the website, which they access directly at /wp-content/plugins/revslider/temp/update_extract/revslider/update.php this provides full access by circumventing existing access controls:
From there, they inject a secondary backdoor that modifies the swfobject.js file and injects the malware redirecting site visitors to soaksoak.ru.
Do not just clean these 2 files!
We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection.
It does removes the infection, but does not address the left over backdoors and initial entry points. The website will be reinfected quickly. If you are affected by this, expect to find yourself riddled with backdoors and infections, you have to not only clean, but also stop all malicious attacks. You can stop malicious attacks through the use of a Website Firewall, Sucuri’s or someone else, just use a Firewall, a real one preferably.
Read the entire release here