Over a Million WordPress Websites Compromised by Balada Injector Malware Campaign
Apr 10, 2023 | Ravie Lakshmanan | Web Security / Malware WordPress
An ongoing malware campaign called Balada Injector has infected more than one million WordPress websites since 2017. According to GoDaddy's Sucuri, the massive campaign takes advantage of both known and recently discovered theme and plugin vulnerabilities to compromise WordPress sites, with attacks occurring in waves every few weeks.
Security researcher Denis Sinegubko highlights the campaign's distinctive characteristics, such as its use of String.fromCharCode obfuscation, newly registered domain names hosting malicious scripts on random subdomains, and redirects to various scam sites. These websites often involve fake tech support, fraudulent lottery wins, and deceptive CAPTCHA pages that trick users into enabling spam ads by asking them to turn on notifications to prove they are not robots.
This report builds on Doctor Web's recent findings about a Linux malware family that exploits vulnerabilities in more than two dozen plugins and themes to compromise vulnerable WordPress sites. Over the years, Balada Injector has employed over 100 domains and numerous methods to exploit known security flaws, such as HTML injection and Site URL. The attackers' primary goal is to acquire database credentials in the wp-config.php file.
The attacks are also designed to read or download arbitrary site files, including backups, database dumps, log and error files, and search for tools like adminer and phpmyadmin left behind by site administrators after maintenance tasks. The malware enables the creation of fake WordPress admin users, data harvesting from underlying hosts, and the installation of backdoors for continuous access.
Balada Injector further conducts extensive searches from top-level directories linked to the compromised website's file system to find writable directories associated with other sites. Sinegubko explains that these sites usually belong to the webmaster of the compromised site and share the same server account and file permissions. As a result, compromising one site can potentially grant access to multiple other sites.
If these attack routes are unavailable, the admin password is brute-forced using a set of 74 predefined credentials. To protect their websites, WordPress users are advised to keep their software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
Unit 42 researchers noted that more than half of the affected websites had the malicious JS code injected into their homepage. The campaign's operators often targeted frequently used JS filenames (e.g., jQuery) likely to be included on the homepages of compromised websites, increasing the likelihood of targeting the website's legitimate users who frequently visit the homepage.