Balada Injector Malware Compromises 7,000+ WordPress Sites
Threat actors have recently used the Balada injector malware to exploit a plugin vulnerability, leading to the compromise of more than 7,000 WordPress sites. Recent reports have shed light on the WordPress Balada injector infections, claiming that attacks were first documented in December 2022. During the attack, a vulnerable version of the Popup Builder plugin was exploited.
In this article, we’ll dive into all the details of the Balada injector malware attack and see how it unfolds.
The Balada Injector Malware Family
Building an understanding of the origins of the Balada injector malware is essential prior to diving into the intricacies of the attack. The malware family has been active since 2017 and supports multiple attack vendors and persistence mechanisms ensuring the implementation of malicious intentions.
It’s worth mentioning here that the malicious code was initially identified late in December last year. A report by Doctor Web on Balada WordPress plugin vulnerability exploitation states that a malicious program is capable of hacking websites based on WordPress Content Management System (CMS) by exploiting multiple plugins and themes.
Previous attacks using the Balada injector malware led to over 17,000 sites being compromised in September last year. The number of compromised websites during that period was more than double that in the preceding month. During those attacks, a vulnerability pertaining to the tagDiv’s premium themes was exploited.
Balada Injector Malware and The Popup Builder Plugin
Once the code has been injected, users who click on any area of the attacked page are redirected to other sites. As far as the Popup builder plugin, hackers can exploit the vulnerability to perform malicious actions on behalf of logged-in users with administrative privileges.
What makes the Balada injector malware even more threatening is that the exploited vulnerability can even be used to create a new rogue admin user. The vulnerability had been identified as CVE-2023-6000, with a severity score of 8.8.
Decoding The Popup Builder Plugin Attacks
Before diving into the details of the attack, it’s worth mentioning here that the Popup Builder plugin has over 200,000 active installations. Such high usage further intensifies the Balada injector malware threat. It has been observed in a recent wave of attacks that threat actors are able to detect logged-in admin cookies.
Once detected, they are exploited to install and activate a rogue back-door plugin called wp-felony.php. Upon activation, the rough plugin is used to deploy a payload from specialcraftbox[.]com, which is saved in a sasas file. Such an approach allows threat actors to detect site root directories and modify the “wp-blog-header.php.”
From here onwards, hackers can inject the Balada injector malware with ease. Understanding how the attack is executed is paramount to developing a cybersecurity strategy. Additionally, admins can take protective measures by locating and removing the injection by accessing the “Custom JS or CSS” of the Popup Builder section of their interface.
The Balada injector malware is an active exploitation of CVE-2023-6000 pertaining to the Popup Builder plugin. The vulnerability, when exploited gives hackers the capability of using administrative privileges and also allows them to create rouge admin users. Given that the plugin has over 200,000 active installations, implementing robust cybersecurity measures is essential for safeguarding against such threats.