SoakSoak

Discovered in late 2014, SoakSoak is a Russian-based malware variant designed to scan for vulnerabilities within WordPress-powered websites and exploits them in order to turn its targets into a malware-distribution botnet. Specifically, it exploits the RevSlider vulnerability that impacts WordPress websites using the RevSlider plugin. It searches each site for the revicons.eot files and attempts to download the WordPress configuration file. If successful, SoakSoak then uploads a malicious theme to the site and injects a backdoor which allows the attackers administrative access by circumventing current access controls. In response to this initial SoakSoak attack, Google blacklisted over 11,000 impacted websites to help prevent further spread of the infection. RevSlider’s developers quickly and quietly patched the vulnerability but websites that did not update the plugin still remain vulnerable.

In 2016, security researchers reported seeing a surge in CryptXXX ransomware infections traced back to compromised WordPress websites that redirected visitors to the Neutrino exploit kit. This payload is the latest in an ever-changing string of attacks delivering different types of malware including click-fraud and password-stealing Trojans.

WordPress website owners and administrators can scan their websites for vulnerabilities and malware using a free scanner, available by HackerTarget.com here. Those using the RevSlider plugin are urged to update it immediately to the latest version to prevent exploitation and compromise.

Reporting and Technical Details

  • September 2014: Slider Revolution Plugin Critical Vulnerability Being Exploited (Securi)
  • December 2014: SoakSoak Malware Compromises 100,000+ WordPress Websites (Securi)
  • December 2014: RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise (Securi)
  • December 2014: SoakSoak Malware Campaign Evolves (Threatpost)
  • July 2016: SoakSoak Botnet Pushing Neutrino Exploit Kit and CryptXXX Ransomware (Threatpost)
  • December 2016: CryptXXX Ransomware Spread Further via SoakSoak Botnet (LIFARS)