Title
WordPress To Compromise With SoakSoak Malware
Introduction
Security firm Sucuri reports that Google has blacklisted over 11,000 malware-infected WordPress domains, and over 1,00,000 sites in total have been affected by a new malware campaign from SoakSoak.ru.
By using a vulnerability found in the WordPress plugin RevSlider, SoakSoak modifies a file in a site’s WordPress installation and loads Javascript malware.
RevSlider is often used in WordPress themes, so many site owners may not even know they’re using the plugin, let alone that they need to update it to prevent a malware attack. Moreover, it’s not a plugin that’s easily updated, as Sucuri’s Daniel Cid points out:
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes”
Visitors of infected sites may be redirected to a webpage that will attempt to download malware onto their computers. Google’s decision to block infected sites shortly after the vulnerability became known will hopefully prevent the malware from spreading any further.
The Attack Sequence
Sucuri investigated thousands of compromised sites with this injection and based on the logs, they were able to confirm the exact attack vendor being targeted.
Discovery: There appears to be an initial reconnaissance scan occuring where the attacker(s) are looking to see if the file exists. Snippet of the code
94.153.8.126 – – [14/Dec/2014:09:59:35 -0500] “GET /wp-content/plugins/revslider/rs-plugin/font/revicons.eot HTTP/1.1″ 200 94.190.20.83 – – [14/Dec/2014:00:12:07 -0500] “GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.0″ 202
The first entry looks for the revicons.eot files and the second one attempts to use one of the Revslider vulnerabilities to download the wp-config.php file.
Exploit: If the discovery phase is successful and they find a site using Revslider, they use a second vulnerability in Revslider and attempt to upload a malicious theme to the site:
94.153.8.126 – – [14/Dec/2014:04:31:28 -0500] “POST /wp-admin/admin-ajax.php HTTP/1.1″ 200 4183 “-” Content-Disposition: form-data; revslider_ajax_action update_plugin; name=”update_file”;…
Take over: If the exploit is successful, they inject the popular Filesman backdoor into the website, which they access directly at /wp-content/plugins/revslider/temp/update_extract/revslider/update.php this provides full access by circumventing existing access controls:
94.153.8.126 – – [14/Dec/2014:04:31:28 -0500] “GET /wp-content/plugins/revslider/temp/update_extract/revslider/update.php HTTP/1.1″ 200 5287 “-” “Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0″
From there, they inject a secondary backdoor that modifies the swfobject.js file and injects the malware redirecting site visitors to soaksoak.ru.
This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term. Some users are clearing infections and getting reinfected within minutes and the reason is because of the complex nature of the payloads and improper cleaning efforts.
