New Russian Malware Impacts 100,000 WordPress Sites

Google blacklisted more than 10,000 domains compromised with a piece of malware dubbed SoakSoak, according to virus researchers.

Up to 100,000 WordPress sites may be vulnerable to the malicious campaign, Sucuri said. Any version of WordPress that uses a popular slideshow plugin called “Slider Revolution” or RevSlider can fall victim to SoakSoak.

In September, researchers discovered a zero-day vulnerability in the plugin that allows an attacker to download any file from the site`s server, including database credentials, and compromise the website via the database. The problem lies in the way the plugin is wrapped into theme packages. When it becomes part of a theme, RevSlider`s automatic update mechanism is usually disabled and manual updates need to be performed in a process prone to error.

The SoakSoak malware modifies a file called wp-includes/template-loader.php that enables loading of a JavaScript file, wp-includes/js/swobject.js, on every page on the site. After it`s decoded, it loads malware from a Russian domain.

The Russian domain attackers use to get malware is currently down.

The campaign caused both revenue and reputation losses for WordPress blog owners blacklisted by Google.