Business

Balada Injector – Massive Ongoing WordPress Malware Infected Over 1 Million Websites

Published

1 year ago

April 12, 2023

A cyber attack campaign targeting WordPress websites has recently caused significant concern, with experts estimating that up to one million websites may have been compromised.

The campaign has been ongoing, using known vulnerabilities in themes and plugins to insert a malicious Linux backdoor.

While cybersecurity researchers have identified the backdoor as a “Balad Injector.” It appears that the campaign in question has been actively running since 2017, with its primary objective being to redirect users to various types of online scams, and these include:-

Fake tech support pages
Lottery scams
Push notification fraud

Long-running Infection Waves

Sucuri has recently identified the Balad Injector campaign as the same one Dr. Web reported in December 2022.

This campaign exploits the vulnerabilities in multiple plugins and themes to insert a backdoor, allowing attackers to gain unauthorized access to affected websites.

Sucuri has reported that the Balad Injector campaign operates in waves, with attacks occurring approximately once a month. To evade blocking lists and other security measures, the attackers use a freshly registered domain name for each wave of attacks.

Like malware campaigns, the Balad Injector campaign often exploits recently disclosed vulnerabilities in various themes and plugins. The attackers behind the campaign create custom attack routines tailored to the specific flaw they are targeting.

The majority of these domain names are usually combinations of two or four English words that are made up of nonsense information like:-

sometimesfree[.]biz
destinyfernandi[.]com
travelfornamewalking[.]ga
statisticline[.]com

Injections are performed by the use of URLs on a variety of subdomains within the current wave domain, such as:-

java.sometimesfree[.]biz/counter.js – active 2017
slow.destinyfernandi[.]com/slow.js – active 2020
main.travelfornamewalking[.]ga/stat.js – active 2021
cdn.statisticline[.]com/scripts/sway.js – active 2023

The impact of the Balad Injector campaign on website security is significant, as evidenced by the fact that 32 domains associated with various waves of malware were responsible for 67.2% of all blocklisted resource detections recorded by SiteCheck in 2022.

These domains fully occupied the top five positions on the list of blocklisted resources, indicating the widespread and persistent nature of the campaign.

Here are the top-ranking domains with top most detection counts:-

legendarytable[.]com: 18,102 Detections
weatherplllatform[.]com: 13,133 Detections
classicpartnerships[.]com: 10,726 Detections
ads.specialadves[.]com: 8,295 Detections
line.storerightdesicion[.]com: 7,899 Detections

Injection Methods

Sucuri has observed several injection methods used by the Balad Injector campaign to compromise WordPress websites. While these methods include:-

Siteurl hacks
HTML injections
Database injections
Arbitrary file injections

The Balad Injector campaign utilizes many attack vectors to compromise WordPress websites, resulting in duplicate site infections. In some cases, subsequent campaign waves have targeted sites that were already compromised.

Sucuri has identified instances of sites being attacked multiple times, with as many as 311 attacks observed on a single site. In one such case, 11 distinct versions of the Balad Injector malware were used to compromise the site.

Balada’s Activity

The Balad Injector campaign is designed to exfiltrate sensitive information from WordPress websites, focusing on stealing database credentials from wp-config[.]php files.

This allows threat actors to access compromised sites even if the site owner clears the initial infection and patches their add-ons.

In addition to targeting wp-config[.]php files, the Balad Injector campaign seeks to exfiltrate a variety of other sensitive information like:-

Backup archives
Databases
Access logs
Debug information
Other sensitive files

The Balad Injector malware uses a variety of malicious methods, and among them, one such method involves searching for the presence of popular database administration tools like:-

Adminer
phpMyAdmin

If these tools are misconfigured or vulnerable, the attackers can use them to create new admin users, extract sensitive information, or inject persistent malware into the database.

The attackers turn to brute force attacks by trying out 74 combinations of credentials to guess the admin password if these accessible pathways are unavailable.

Once the Balad Injector malware has compromised a WordPress site, the attackers plant multiple backdoors to ensure persistent access and control.

These backdoors are hidden access points that provide a proxy for the attackers, meaning that even if one backdoor is discovered and removed, others may be in place to maintain access.

The Balada Injector malware is designed to be challenging to remove, making it a persistent threat to compromised WordPress sites.

One of the tactics used by the attackers is to drop backdoors into 176 predefined paths, creating multiple hidden access points that allow the attackers to maintain control of the site even after the initial infection has been removed.

The Balada Injector campaign also leverages cross-site infections to maintain access to cleaned-up sites.

By exploiting vulnerabilities in plugins and themes, the attackers can gain easy access to the underlying VPS hosting the site. Once they have this access, they can re-infect cleaned-up sites repeatedly as long as they maintain access to the VPS.

Recommendations

Here below, we have mentioned all the basic and regular recommendations offered by the security analysts at Sucuri:-