Google has blacklisted more than 11,000 domains involved in the latest malware campaign from SoakSoak.ru. But, the impact is apparently much larger: it seems to be affecting most hosts across the WordPress hosting spectrum, according to researchers.
“Our analysis is showing impacts in the order of hundreds of thousands of WordPress-specific websites,” said Tony Perez, co-founder and CEO at Sucuri, in an analysis.
Securi confirmed that a vulnerability in the RevSlider plug-in hat was disclosed some months ago as the attack vector. The flaw allows a remote attacker to download any file from the server. So, it can be used to steal the database credentials, which then allows an attacker to compromise the website via the database.
“It seems that many webmasters have either not heard of or did not take seriously the vulnerability,” Perez said.
It’s a type of vulnerability known as a Local File Inclusion (LFI) attack. The attacker is able to access, review and download a local file on the server.
Exactly how many of the 70 million websites that use the content management system (CMS) are vulnerable is anyone’s guess at this point. But, any WordPress site that uses an unpatched version of RevSlider—and it’s one of the most common plug-ins deployed—is potentially vulnerable.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owners,” Securi noted. “Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”
The attackers’ steps are fairly straightforward: after a discovery phase, they use a second vulnerability in Revslider and attempt to upload a malicious theme to the site. If the exploit is successful, they inject the popular Filesman backdoor into the website. From there, they inject a secondary backdoor that modifies the swfobject.js file and injects the malware redirecting site visitors to soaksoak.ru.
“This campaign is also making use of a number of new backdoor payloads; some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term,” Perez said. “Some users are clearing infections and getting reinfected within minutes and the reason is because of the complex nature of the payloads and improper cleaning efforts.”