SoakSoak Campaign Evolves – New Wave of Attacks

Since Sunday, we have seen a new wave of SoakSoak reinfections. The Javascript continues to evolve and load other scripts in order to infect additional websites. We have updates for concerned webmasters looking to stay on top of the threat and keep their site protected against these kinds of attacks.

To those websites that have ignored or otherwise have not been made aware of our advice to update RevSlider plugin. We are seeing server logs showing attempts to locate and infect old versions of RevSlider (<4.2):

[21/Dec/2014:09:48:14 -0500] “POST /wp-content/plugins/revslider/temp/update_extract/revslider/license.php HTTP/1.1″ 200 357 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0″

[21/Dec/2014:09:48:15 -0500] “POST /wp-content/plugins/revslider/temp/update_extract/revslider/__sprd.php HTTP/1.1″ 200 474 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0″

This time the malware authors changed the Javascript file that they inject the malicious code into. Now it’s wp-includes/js/json2.min.js. The corresponding code in wp-includes/template-loader.php has changed as well:

function Func11()
{
wp_enqueue_script('json2');
}
add_action('wp_enqueue_scripts', 'Func11');

The malicious code in wp-includes/js/json2.min.js still loads the wp-includes/js/swfobjct.swf (click here for full payload analysis) Flash file (100% malicious), but the code now is more elaborate. Here you can see the decoded version:

Decode malware in json2.min.js

Decode malware in json2.min.js

The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js.

We will continue to monitor the situation and provide more information from our research labs. Webmasters who are already using our Website Firewall don’t need to worry, as they are protected against this and other zero-day threats.

Via Sucuri.net

Tags: , ,

No comments yet.

Leave a Reply