The SoakSoak malware is now employing new tactics and has recently infected a new batch of websites. The attackers have also changed the Javascript code they inject in the targeted web pages.
Thousands of websites infected with SoakSoak were blacklisted by Google last week. The malware targets WordPress pages, in which the cyber crooks inject the malicious Javascript files.
The initial target of the hackers was wp-includes/template-loader.php. As soon as the file was modified, the malicious Javascript can appear on the whole body of the infected website. That code will the initiate malware download from a remote domain.
SoakSoak’s New Target
The authors behind the SoakSoak campaign have a new target – a “wp-includes/js/json2.min.js“ file that is modified to load a corrupted Flash file. Researchers with Sucuri explain that “The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js.”
Older versions of the popular RevSlider plugin are targeted in the SoakSoak campaign, mostly the ones prior to 4.2. Several months ago, researchers disclosed the vulnerability in the plugin.
Daniel Cid of Sucuri says that the biggest issue here is that this is a premium plugin, which cannot be easily upgraded by everyone. Some of the affected websites’ owners do not even realize they have RevSlider packaged into their themes.
The developers of the plugin have patched it silently, but websites that have not been updated are still vulnerable to attacks of this sort.
Spy Hunter FREE scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool. Find Out More About SpyHunter Anti-Malware Tool
