Over 1 Million WordPress Websites Affected by Balada Injector Malware Campaign

January 16, 2024

cyber security android

In mid-December 2023 [3] [4], Sucuri specialists discovered a new Balada Injector campaign targeting vulnerable WordPress websites [4]. This campaign exploited an XSS vulnerability in the Popup Builder plugin [4], allowing attackers to execute malicious JavaScript code and inject a backdoor disguised as the wp-felody.php plugin. The Balada Injector malware is known for redirecting visitors to fake tech support pages and fraudulent activities [4]. This ongoing cyber campaign has already affected over 1 million sites.

Description

The Balada Injector campaign targeted over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin [4]. By exploiting an XSS vulnerability [4], the attackers were able to execute malicious JavaScript code and modify the wp-blog-header.php file to inject a JavaScript backdoor [4]. This backdoor was disguised as the wp-felody.php plugin [4], enabling the execution of arbitrary PHP code and receiving additional payloads [4]. The campaign aims to gain complete control over compromised websites by inserting a malicious JavaScript file. To maintain control [3], the malware uploads backdoors, adds malicious plugins [3], and creates rogue administrators [2] [3]. It takes advantage of logged-in admin cookies to install a rogue backdoor plugin and fetch a second-stage payload [3]. WordPress site administrators must take immediate action to defend against the Balada Injector campaign, including updating themes and plugins [1], uninstalling redundant or unsupported products [1], and minimizing active plugins on the site [1].

Conclusion

The Balada Injector campaign has significant implications for website security. It redirects visitors to fraudulent pages and scams [2], posing a risk to users and damaging the reputation of affected websites. Mitigating this campaign requires proactive measures from WordPress site administrators, such as regularly updating themes and plugins, removing unnecessary products, and minimizing the number of active plugins. Additionally, ongoing monitoring and security measures are crucial to prevent future attacks and protect against evolving threats.

References

[1] https://www.techtimes.com/articles/300560/20240112/over-6-700-wordpress-sites-spotted-using-plugin-infected-new.htm
[2] https://thehackernews.com/2024/01/balada-injector-infects-over-7100.html
[3] https://vulnera.com/newswire/over-7100-wordpress-sites-compromised-by-balada-injector-malware-exploiting-plugin-vulnerability/
[4] https://www.gamingdeputy.com/hacker-balada-injector-compromises-6700-wordpress-sites/