
Over the weekend, the security team at Sucuri discovered that more than 100,000 WordPress sites have been hit with the SoakSoak.ru malware campaign. This campaign has resulted in more than 11,000 domains being blacklisted by Google.
SoakSoak modifies the wp-includes/template-loader.php file in order to inject Javascript, which contains the malware, into every page on compromised sites. You can check to see if your site is affected by using Sucuri’s free SiteCheck scanner.
After researching the compromised sites, Sucuri found that SoakSoak’s vehicle of attack is the critical security vulnerability that was discovered in the Slider Revolution plugin and made public in September. At that time, Envato identified more than 1,000 themes sold through its marketplace that were potentially affected by this particular vulnerability.
The Slider Revolution issue, though silently patched in February, has been actively exploited since its disclosure. Many WordPress site administrators have not updated their copies of the Slider Revolution plugin to the patched version, leaving their sites open to compromise. Since the plugin is packaged with many themes sold through Themeforest, site owners are not always aware that they are vulnerable.
According to the report from Sucuri, the SoakSoak attack first scans sites to locate the vulnerable file within the Slider Revolution plugin in order to gain access to the wp-config.php file. If successful, the intruder then attempts to upload a malicious theme to the site, followed by injecting the Filesman backdoor into the website. The attacker then injects another backdoor in order to modify the swfobject.js file to inject malware that redirects visitors to soaksoak.ru.
This malware attack is particularly difficult to clean up after. If your site has been compromised, you cannot simply remove the infected files. The backdoors will also need to be addressed, as well as the Slider Revolution vulnerabilities. Sucuri advises stopping malicious attacks through a firewall. If your site or one of your clients’ sites is using the Slider Revolution plugin, it is imperative that you check to see if you are affected and update your site and plugins immediately.
It’s disappointing that so many sites are affected by the vulnerabilities considering sites like the Tavern and others did a great job of telling people about the issues with Rev Slider. I wonder what happened? Did they never find out about it? Could they simply not upgrade? Did sites not want to upgrade? We’ll never know.