Unlike SoakSoak, it’s comprised of 3 distinct malframes – creating one new campaign. We’re tracking each closely:
This campaign is using the domain wpcache-blogger.com as the main malware distributor and command and control. So far is has been responsible for the Google Blacklist of 12,418 sites:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 12418 domain(s), including bertaltena.com/, polishexpress.co.uk/, maracanafoot.com/.
This second campaign seems to be done by the same team behind SoakSoak, but at a smaller scale. Google has blacklisted 6,086 sites so far:
Yes, this site has hosted malicious software over the past 90 days. It infected 6086 domain(s), including fitforabrideblog.com/, notjustok.com/, notanotherpoppie.com/.
: This campaign has been going for a almost a week and started shortly after SoakSoak. It seems to be slowing down and was responsible for the blacklist of 9,731 domains.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 18.104.22.168 appeared to function as an intermediary for the infection of 9731 site(s) including kitchenandplumbing.com/, salleurl.edu/, radiorumba.fm/.
Together, these 3 campaigns have caused 28,235 websites to be blacklisted by Google (according to their safebrowsing stats) in a very short time frame. Our internal analysis has identified more than 50,000 WordPress websites compromised via this new campaign, not all have been blacklisted yet.
However, the WPcache-blogger variation is picking up a lot of traction the past 24 hours; it’s by far the most aggressive in it’s growth trajectory. When it compromises a site, it adds the following code to the footer of the theme:
eval ( base64_decode("ZnVuY..
This payload contacts http://wpcache-blogger.com/getlinks.php, retrieving the malicious iframe to be displayed for the user. What is interesting about this injection is that it is highly conditional and if you try to re-load the page, it will load “google” via an iframe, instead of the malware site.
This is the real malframe:
But it will also display an iframe to Google from time to time to make it harder to be detected:
If you see an iframe to Google.com on your site, consider yourself hacked.
Cleanup and Protection
As the previous RevSlider issues, you have to update it asap to close the door for new attacks. It won’t clean your site, but will help control the problem.
Once Revslider is updated, you have to do a full clean up of your site. Just reinstalling WordPress won’t fix the problem; as mentioned before, this campaign is similar to #soaksoak in that it’s using a wide range of backdoors, allowing the attackers to regain access to your website, bypassing all existing controls in place.
We are recommending everyone to take security seriously, add your website behind a Website Firewall asap, the scale of these attacks are increasing daily. We’re cleaning thousands of sites all leveraging the latest Security Tips, the coolest security plugins. Yes, we have a product that does it, but you don’t have to use it. Leverage Google and find alternatives, if you’re a sysadmin / DIY type person, try leveraging the open-source project, ModSecurity or any other variation available.
Whatever you do, it’s time you start taking security seriously!