The list of compromised sites is long and includes the tourism website for Guatemala and the do-it-yourself project site of Dunlop Adhesives.
The websites were used by operators behind the SoakSoak botnet to redirect visitors to a malicious website used to deliver the CryptXXX ransomware. Once victims’ files are encrypted by the ransomware, it demands a $500 ransom to get back them.
The hackers compromised the websites by exploiting vulnerabilities in WordPress plugins or unpatched content management systems.
In December 2015, Google blacklisted over 11000 domains that were infected with this SoakSoak malware which was redirecting user traffic and download malicious payloads on targets.
11,000 domains were used to serve malware that has been brought by SoakSoak.ru, for this reason, the malicious campaign has been dubbed the SoakSoak Malware epidemic.
The security experts at Sucuri firm provided a detailed analysis of the SoakSoak Malware on their blog, explaining that the infections targeted different platforms despite the greatest number of infections affected WordPress-based websites.
“Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.” states the post. “The impact seems to be affecting most hosts across the WordPress hosting spectrum. Quick breakdown of the decoding process is available via our PHP Decoder.” reported the Sucuri firm.
In this recent SoakSoak Malware campaign that has begun in May, the crooks used a malicious code to redirect visitors to a website hosting the Neutrino Exploit Kit. The attackers have updated both the exploit kit and the malware during the campaign, the latest version of the Neutrino EK used by hackers is able to avoid the execution in q virtualized environment.
“Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler, or a Flash player debugging utility,” states the blog post published by Invincea. “If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server.”
To see the complete list of compromised websites give a look at this Storify.
(Security Affairs – SoakSoak botnet, malware)