If SoakSoak wasn’t enough, we are starting to see a new malware campaign leveraging the RevSlider vulnerability and compromising thousands of WordPress sites in the last few days.
Unlike SoakSoak, it’s comprised of 3 distinct malframes – creating one new campaign. We’re tracking each closely:
This campaign is using the domain wpcache-blogger.com as the main malware distributor and command and control. So far is has been responsible for the Google Blacklist of 12,418 sites:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 12418 domain(s), including bertaltena.com/, polishexpress.co.uk/, maracanafoot.com/.
This second campaign seems to be done by the same team behind SoakSoak, but at a smaller scale. Google has blacklisted 6,086 sites so far:
Yes, this site has hosted malicious software over the past 90 days. It infected 6086 domain(s), including fitforabrideblog.com/, notjustok.com/, notanotherpoppie.com/.
: This campaign has been going for a almost a week and started shortly after SoakSoak. It seems to be slowing down and was responsible for the blacklist of 9,731 domains.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 22.214.171.124 appeared to function as an intermediary for the infection of 9731 site(s) including kitchenandplumbing.com/, salleurl.edu/, radiorumba.fm/.
Together, these 3 campaigns have caused 28,235 websites to be blacklisted by Google (according to their safebrowsing stats) in a very short time frame. Our internal analysis has identified more than 50,000 WordPress websites compromised via this new campaign, not all have been blacklisted yet.
However, the WPcache-blogger variation is picking up a lot of traction the past 24 hours; it’s by far the most aggressive in it’s growth trajectory. When it compromises a site, it adds the following code to the footer of the theme:
eval ( base64_decode("ZnVuY..
This payload contacts http://wpcache-blogger.com/getlinks.php, retrieving the malicious iframe to be displayed for the user. What is interesting about this injection is that it is highly conditional and if you try to re-load the page, it will load “google” via an iframe, instead of the malware site.
This is the real malframe:
But it will also display an iframe to Google from time to time to make it harder to be detected:
If you see an iframe to Google.com on your site, consider yourself hacked.
Cleanup and Protection
As the previous RevSlider issues, you have to update it asap to close the door for new attacks. It won’t clean your site, but will help control the problem.
Once Revslider is updated, you have to do a full clean up of your site. Just reinstalling WordPress won’t fix the problem; as mentioned before, this campaign is similar to #soaksoak in that it’s using a wide range of backdoors, allowing the attackers to regain access to your website, bypassing all existing controls in place.
We are recommending everyone to take security seriously, add your website behind a Website Firewall asap, the scale of these attacks are increasing daily. We’re cleaning thousands of sites all leveraging the latest Security Tips, the coolest security plugins. Yes, we have a product that does it, but you don’t have to use it. Leverage Google and find alternatives, if you’re a sysadmin / DIY type person, try leveraging the open-source project, ModSecurity or any other variation available.
Whatever you do, it’s time you start taking security seriously!
Noticed this yesterday on a local business site. At least chrome alerts you 🙂
Thanks for staying on top of this as it grows, even during the holidays!
I have been following the case of the attacks originated from Revslider plugin, blog, and impressed me with these ataques.Tenho oriented friends to make update, but the indifference is great. Continue to inform us. Thank you.
As we have communicated over and over before: Revolution slider >4.2 (Released in february 2014) is safe and does not have any security holes.
The current issue still originates from the security flaw in revolution slider with versions 4.1.4 and below.
Quite a lot of plugin users have not updated their slider yet, OR did not scan their system for malware infections after updating.
We would appreciate if you could provide more detailed information to your readers by adding version numbers but at the same time highlighting the need for a detailed server scan and usage of security software!
Any users who are still using old revolution slider version and don’t know how to update can contact us via facebook, twitter or our profile on codecanyon.
We are available for any plugin users during the holidays!
Cheers from your team @ThemePunch
Unfortunately for me, my client gave me RevSlider and asked to have it installed. He hasn’t be responsive the last 2 weeks, probably on holiday vacation. 🙁 I had to delete the plugin because the site got backdoored twice.
you can always contact us per mail due our profile page. We help so far anybody who have bundled or direct purchased our plugin. Even if you update today (but missed the updates in the last 10 months), you may have some backdoor codes existing on your server which must be cleaned first. In that case removing the plugin will not help neither. Installing some Security software, (there are some very good one) is in this case very helpful.
thanks a lot,
A good way to clean is to patch revslider and run maldet
It looks like The Internet Systems Consortium (ISC) website was hacked by this Malware on December 22nd. What is most worrisome is that they are a group responsible for the open-source Berkeley Internet Name Domain (BIND) program. BIND is one of the most popular DNS software on the planet and is certainly the most used DNS program on the Unix and Linux systems that make up most of the Internet’s fundamental infrastructure.
The security group Cyphort discovered the hack but didn’t mention how ISC was hacked, other than that is was through their public facing wordpress site. But some of the sourcecode they showed in their article showed an injected iframe pointing to theme(dot)wpcache-blogger(dot)com.
I got this on one of my clients website the other day.
I cleaned the footer file, and realised that the Revolution plugin I used had been tempered with, plus some Wp-Admin files, which I had to replace with the latest version of the files.
Thanks for the update