SoakSoak Compromise via RevSlider Vulnerability

Another wordpress threat which was named SoakSoak was found to be injected into the sites via RevSlider plugin. The attack vector was confirmed by Security firm Succuri. The vulnerability with this plugin was already disclosed by Succuri a few months ago, but it seemed that many webmaster have either not heard or did not take it seriously.

After investigating thousands of compromised sites, Succuri has published the attack sequence as below:
(as mentioned in Succuri Blog)

1. Discovery: There appears to be an initial reconnaissance scan occurring where the attacker[s] are looking to see if the file exists. Snippet of the code
soaksoak-malware-dicovery

2. Exploit:If the discovery phase is successful and they find a site using Revslider, they use a second vulnerability in Revslider and attempt to upload a malicious theme to the site:
soaksoak-malware-exploit

3. Take over: If the exploit is successful, they inject the popular Filesman backdoor into the website, which they access directly at /wp-content/plugins/revslider/temp/update_extract/revslider/update.php this provides full access by circumventing existing access controls:
soaksoak-malware-takeover

From there, they inject a secondary backdoor that modifies the swfobject.js file and injects the malware redirecting site visitors to soaksoak.ru.

This malware might have long term impacts on sites if not actioned carefully as it has been mentioned making use of a number of new backdoor payloads as images, admin user creation, etc. Replacing swfobject.js,swfobject.swf and template-loader.php files might help you remove the infection as suggested. But it isn’t sure your site is completely safe as per the nature of the malware until and unless you are using a Website firewall.

Worried about the potential risk, visit Sucuri website for free site scan.
Sucuri Security

Leave a Reply

Your email address will not be published. Required fields are marked *