WordPress Sites Infected with Balada Injector Malware Campaign

Published April 2, 2024
Author: Ash Khan

WordPress Sites Infected with Balada Injector Malware Campaign

Published April 2, 2024
Author: Ash Khan

Since 2017, it’s been reported that over a million WordPress websites have been infected by malware known as Balada Injector.

According to the cybersecurity website, various vulnerabilities in themes and plugins are abused in this comprehensive effort to compromise WordPress websites. Every few weeks, the attacks are known to occur in waves.

Ongoing campaign

The website security service expert claims this campaign is easily identified by its preference for String.fromCharCode obfuscation. Moreover, the use of recently registered domain names hosting malicious scripts on random subdomains and redirects to various scam sites.

The websites include those that claim to offer false tech help, bogus lottery winnings, and malicious CAPTCHA pages. Furthermore, they beg users to enable alerts so that the actors could send spam emails.

A recent study from Doctor Web described malware that takes advantage of holes in more than two dozen plugins and themes to compromise WordPress sites that are not protected.

Assault aftermath

In the intervening years, the Balada Injector has used more than 100 sites and various techniques to exploit security flaws. These security gaps include HTML injection and Site URLs. Moreover, the attackers were mostly seeking to steal database credentials from the wp-config.php file.

The assaults are executed to read or download arbitrary site files, including backups, database dumps, log files, and error files. They are also designed to look for tools like admirer and phpmyadmin that were left behind by administrators.

In the end, the virus enables the creation of phony WordPress admin accounts, data harvesting from underlying servers, and the creation of permanent backdoors.

Balada Injector also searches top-level directories connected to the hijacked site’s file system to find writable folders from other websites.

Most frequently, these sites are owned by the webmaster of the compromised site. Furthermore, they all share the same server account and file permissions. In this way, it’s possible for one site to be compromised to gain access to several other sites for free.

If these attack routes are blocked, a set of 74 predetermined credentials are used to brute force the admin password. Therefore, it is advised for WordPress users to maintain their website software updated. Also, to get rid of unnecessary plugins and themes, and use secure WordPress admin passwords.

Backdoor accesses of Balada

The discoveries follow the discovery of a related malicious JavaScript injection campaign by Palo Alto Networks Unit 42 that drives site users to adware and fraud domains. Since 2022, more than 51,000 websites have been impacted.

It directs users to insecure sites that deceive them into allowing push notifications by pretending to be a bogus CAPTCHA check to offer misleading material. It also uses String.fromCharCode as an obfuscation method.

The researchers noted that the malicious JS code was included on the homepage of 50% of the detected websites. A tactic frequently employed by the campaign operators was to implant malevolent JS code onto frequently used JS file names such as jQuery. As they are likely to be present on the homepages of compromised websites.