SoakSoak Malware Compromises Over 100,000 WordPress Websites

Security Researchers recently discovered yet another threat to websites running a popular content management system (CMS), WordPress. This threat, which has been dubbed SoakSoak, is the latest malware threat specifically designed to target websites operating the CMS and has already resulted in over 11,000 domains being blacklisted by Google. WordPress has become extremely popular and can be found on the backend of nearly 60 million websites worldwide (meaning approximately 1 in every 6 websites run the CMS) so it’s no wonder hackers have started targeted the infrastructure more regularly in the last few months.

The ability to compromise a legitimate website has become an incredibly successful ploy for cyber criminals as most PC users have become increasingly wary of unsolicited spam email campaigns designed to infect machines with attached malware or via links to malicious sites. SoakSoak is the latest threat to plague WordPress-powered sites and works by redirecting visitors of compromised sites to the SoakSoak.ru domain.

Once visitors land on this malicious domain, an exploit kit looks for known vulnerabilities in the Web browser and/or plugins (namely Java, Flash and Microsoft Silverlight) to install malicious software using the all-to-common drive-by download technique that has become a staple in the modern hacker’s arsenal.

According to the Internet security firm Sucuri (which first discovered the thousands of blacklisted domains), SoakSoak modifies a file within the WordPress installation before loading JavaScript-based malware directly from the SoakSoak.ru domain. SoakSoak appears to target WordPress plugins rather than the WordPress CMS itself. The reason for this is simple – many plugins are not properly maintained by the developers and many webmasters forget to update these plugins even when updates are provided. This makes it relatively easy for hackers to engineer backdoors into the CMS via these outdated plugins (many of which are installed and not even used within the website’s infrastructure).

soaksoak malware

One of the theme plugins that is especially vulnerable to SoakSoak is known as RevSlider – an interactive slider commonly used on the homepage of WordPress-powered sites as a way to add a level of interactivity to the page. Unfortunately, RevSlider is a premium plugin often pre-packaged with themes used to change the overall appearance of a WordPress site. Since RevSlider is integrated into these themes, the webmaster is unable to update the plugin until the developers of the theme release an update that incorporates the new version of RevSlider. Sucuri estimates that well over 100,000 WordPress sites are currently using a vulnerable version of RevSlider and nothing can be done until developers of the themes with the outdated version release a secure update to the entire theme. This makes it rather easy for hackers to continue spreading SoakSoak and related malware via compromised sites while developers scramble to catch up. It’s also worth noting that many other plugins are potentially at risk but have yet to be identified.

If you are a webmaster operating one or more WordPress sites, the best way to protect these sites from SoakSoak is to ensure WordPress and all associated plugins are up-to-date and that if an antiquated version of RevSlider is being used, that plugin should be disabled until a patch is released for the particular theme containing the vulnerability.

PC users can avoid malware infection by SoakSoak compromised sites by ensuring the Windows OS, antivirus software and all Web browser plugins are updated regularly. Better yet, if you do not actively use vulnerable plugins such as Flash and Java, remove them from the system completely to further protect your PC from SoakSoak and associated malware threats.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal