Home Malware Programs Malware SoakSoak

SoakSoak

Posted: February 12, 2015

Threat Metric

Threat Level: 8/10
Infected PCs: 1,778
First Seen: February 12, 2015
Last Seen: June 19, 2023
OS(es) Affected: Windows

SoakSoak is a malware campaign that compromises third-party websites and inserts attacks for installing malware onto the PCs of the sites' visitors. The current SoakSoak campaign targets WordPress users, including domains with outdated versions of some plugins installed. Although Google already has blacklisted thousands of sites associated with SoakSoak, other websites remain active, and could allow SoakSoak to compromise PCs whose users have performed no actions other than visiting an affected site. Anti-malware system scans are heavily advisable for any PC users who believe that their systems could be victims of a successful SoakSoak attack.

SoakSoak: the Indiscriminate Spray of Trojans

While the SoakSoak campaign has been known to target other sites, WordPress users are its current majority of victims. So far, SoakSoak attacks utilize at least two separate, major formats of compromising websites. The first of these attacks, now outdated, modified the 'wp-includes/template-loader.php' site file with inserted JavaScript content. The second format targets 'wp-includes/js/json2.min.js,' which is forced to include threatening Flash content. In either case, the campaign's aim is to redirect that site's traffic to Soaksoak.ru and other domains associated with SoakSoak, launching attacks that install threats automatically. Malware experts still are examining the full range of possible payloads from these attacks.

Since the SoakSoak campaign makes generous use of minimalist iFrame content, these browser hijackings towards threatening sites are visually undetectable and can trigger without forcing the victim away from the original website. The threatening content also is heavily obfuscated, which can prevent default security features from identifying it as an attack. PC users without adequate browser protection could see their systems become infected without doing anything other than loading the hacked site.

Coming in from the Malware Rain

Website administrators can make use of a range of free tools for identifying SoakSoak content, such as automated site scanners. However, malware experts particularly emphasize that site admins monitor their usage of plugins, such as RevSlider (AKA 'Slider Revolution'), which is one, known culprit for distributing SoakSoak vulnerabilities unintentionally. RevSlider has been patched to block any future exploitation via this method, but users of RevSlider with outdated plugins remain at risk of having their sites hacked. Since RevSlider and other plugins may include themselves, by default, in various bundles and themes, you don't need to install this plugin individually to be using it on your website.

Although SoakSoak's infected attack is relatively straightforward to remove from your website's files, doing so doesn't necessarily eliminate the vulnerabilities that allowed your site's original hacking. You may need to implement additional steps for blocking SoakSoak-associated backdoor vulnerabilities and future attacks. With respect to a SoakSoak-hacked website's visitors, thorough anti-malware scans from a protected environment should suffice for removing all other threats.

The estimate of total of sites compromised through this latest iteration of the SoakSoak campaign is at one hundred thousand.

Loading...