More than 11,000 websites using the WordPress blogging platform have been blacklisted by Google, after they were infected by the “SoakSoak” malware.

ccd7ab08-fd8c-48c3-8005-110652b2555a-620x372
Security firm Sucuri, which first reported on the blacklisting, claims that the malware’s impact could be far wider though, stretching to “hundreds of thousands” of sites.

SoakSoak modifies a file in infected sites’ WordPress installation, then loads a Javascript malware from the soaksoak.ru domain – hence the name.

Sucuri claimed that SoakSoak is using a vulnerability in the RevSlider WordPress plugin that it first spotted in September, but which is often used within WordPress themes, meaning website owners may not have known they needed to update it.

“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,” wrote Sucuri’s Daniel Cid.

“Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”

Cid added that even when website owners try to clean the two affected files in their WordPress installation, they may be swiftly reinfected.

“This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term,” he wrote.

“Some users are clearing infections and getting reinfected within minutes and the reason is that of the complex nature of the payloads and improper cleaning efforts.”

Rival security firm Kaspersky’s Threat Post blog noted that there are more than 70 million websites running on WordPress, although there are no figures for how many of them are using the RevSlider plugin.

Security researcher Graham Cluley suggested that Google’s decision to blacklist more than 11,000 affected domains soon after the attack was publicised was “a quick-thinking reaction which hopefully will make it more difficult for the attackers to monetise their cybercriminal campaign”.

Meanwhile, affected site owners have been figuring out how to get their blogs cleaned up and back on Google. If you’re one of them, this thread on the official WordPress forum may be useful.

About The Author

Related Posts