Attackers exploiting a bug in the Slider Revolution plugin to compromise WordPress websites with malware delivered from SoakSoak(dot)com may also be targeting zero-day vulnerabilities in Firefox and Internet Explorer 11, according to Sucuri, the security company that initially identified the campaign.
In a Tuesday post further analyzing the attack and payload, Denis Sinegubko, senior malware researcher at Sucuri, indicated that one variation involves the creation of a Flash object using a ‘wp-includes/js/swfobjct.swf' file.
Sinegubko wrote that when “we decompiled the swfobjct.swf file, we found a function that executed some obfuscated JavaScript only in FireFox and Internet Explorer 11 browsers” and went on to state that “it injects an invisible iframe” from Milaprostaya(dot)ru – which ultimately leads to infection.
Milaprostaya(dot)ru is a hacked WordPress site on a shared server that is infected with the SoakSoak malware and is not currently blacklisted by Google, the Tuesday post indicates.