SoakSoak
Posted: February 12, 2015
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 8/10 |
---|---|
Infected PCs: | 1,778 |
First Seen: | February 12, 2015 |
---|---|
Last Seen: | June 19, 2023 |
OS(es) Affected: | Windows |
SoakSoak is a malware campaign that compromises third-party websites and inserts attacks for installing malware onto the PCs of the sites' visitors. The current SoakSoak campaign targets WordPress users, including domains with outdated versions of some plugins installed. Although Google already has blacklisted thousands of sites associated with SoakSoak, other websites remain active, and could allow SoakSoak to compromise PCs whose users have performed no actions other than visiting an affected site. Anti-malware system scans are heavily advisable for any PC users who believe that their systems could be victims of a successful SoakSoak attack.
SoakSoak: the Indiscriminate Spray of Trojans
While the SoakSoak campaign has been known to target other sites, WordPress users are its current majority of victims. So far, SoakSoak attacks utilize at least two separate, major formats of compromising websites. The first of these attacks, now outdated, modified the 'wp-includes/template-loader.php' site file with inserted JavaScript content. The second format targets 'wp-includes/js/json2.min.js,' which is forced to include threatening Flash content. In either case, the campaign's aim is to redirect that site's traffic to Soaksoak.ru and other domains associated with SoakSoak, launching attacks that install threats automatically. Malware experts still are examining the full range of possible payloads from these attacks.
Since the SoakSoak campaign makes generous use of minimalist iFrame content, these browser hijackings towards threatening sites are visually undetectable and can trigger without forcing the victim away from the original website. The threatening content also is heavily obfuscated, which can prevent default security features from identifying it as an attack. PC users without adequate browser protection could see their systems become infected without doing anything other than loading the hacked site.
Coming in from the Malware Rain
Website administrators can make use of a range of free tools for identifying SoakSoak content, such as automated site scanners. However, malware experts particularly emphasize that site admins monitor their usage of plugins, such as RevSlider (AKA 'Slider Revolution'), which is one, known culprit for distributing SoakSoak vulnerabilities unintentionally. RevSlider has been patched to block any future exploitation via this method, but users of RevSlider with outdated plugins remain at risk of having their sites hacked. Since RevSlider and other plugins may include themselves, by default, in various bundles and themes, you don't need to install this plugin individually to be using it on your website.
Although SoakSoak's infected attack is relatively straightforward to remove from your website's files, doing so doesn't necessarily eliminate the vulnerabilities that allowed your site's original hacking. You may need to implement additional steps for blocking SoakSoak-associated backdoor vulnerabilities and future attacks. With respect to a SoakSoak-hacked website's visitors, thorough anti-malware scans from a protected environment should suffice for removing all other threats.
The estimate of total of sites compromised through this latest iteration of the SoakSoak campaign is at one hundred thousand.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.