WordPress websites compromised in Balad injector campaign
A persistent effort that targets “all known and recently discovered theme and plugin vulnerabilities” has hacked an estimated one million WordPress websites according to Sucuri.
Researchers have called the campaign Balad Injector because it injects a Linux backdoor. Since 2017, this malware operation has been redirecting users to bogus tech help pages, false lottery wins, and push notification frauds.
According to Sucuri, the Balad Injector assaults occur in waves about once a month, with each wave utilizing a newly registered domain name to avoid blocking lists. The virus targets freshly reported vulnerabilities and builds unique attack routines around them.
Siteurl hacks, HTML injections, database injections, and arbitrary file injections are just a few of the attack vectors available to the Balad Injector. These techniques of attack have resulted in duplicate site infections, with following waves focusing on previously compromised sites. Sucuri cited a scenario in which a website was attacked 311 times with 11 different variants of Balad.
Once a site is compromised, the Balad scripts focus on exfiltrating sensitive information such as database credentials from wp-config.php files. Even if the site owner clears an infection and patches their add-ons, the threat actor maintains their access. The campaign also seeks backup archives and databases, access logs, debug info, and files that might contain sensitive information.
The Balad Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers. In 2020, Balada was dropping backdoors to 176 predefined paths, making the complete removal of the backdoor very challenging. Moreover, the names of the planted backdoors changed in each campaign wave to make detections and removals harder for website owners.
Sucuri notes that defending against Balad Injector attacks may differ from one case to another and that there is no one specific set of instructions admins can follow to keep the threat at bay, due to the wide variety of infection vectors. However, Sucuri’s general WordPress malware cleanup guides should be enough to block most of the attempts. Keeping all website software updated, using strong, unique passwords, implementing two-factor authentication, and adding file integrity systems should work well enough to protect sites from compromise.
The sources for this piece include an article in BleepingComputer.