• Sun. Oct 15th, 2023

Balada Injector Malware Operation Damaged More Than 1 Million WordPress Sites

Avatar photo

ByEsme Greene

Apr 14, 2023
Esme Greene
Latest posts by Esme Greene (see all)

Over 1 million WordPress websites were affected by the malware Balada Injector. The campaign that is aimed to deploy it has been working on it since 2017.

How does it work?

Based on GoDaddy’s Sucuri reports, the extensive campaign “leverages all recognized and only newly created theme and plugin vulnerabilities” to damage WordPress websites. Every several weeks, the strikes are reported to happen in waves.

Here’s what Dmitry Sinegubko, a security expert, said about it:

“This campaign is clearly recognizable by its predilection for String.fromCharCode obfuscation, the use of recently registered web addresses hosting malicious programs on various subdomains, and by links to numerous scam sites.”

Among the compromised websites are those that fool visitors with phony tech support, false lottery winners, and harmful CAPTCHA pages that trick victims into enabling alerts, allowing the criminals to deliver spam emails.

What else is Balada Injector able to affect?

The report expands on the latest studies from Doctor Web campaign that explained the way a Linux malware family performs in detail.

In order to take advantage of well-known security flaws like HTML injection and Site URL, the Balada Injector has over 100 domains and a variety of techniques at its disposal. The database credentials contained in the wp-config.php file are the major target of the hackers’ efforts.

The assaults are also intended to access or copy arbitrary site files, such as database dumps, log and failure files, backups, and search for instruments like adminer and phpmyadmin that might have been left behind by site administrators after finishing maintenance operations.

As a result, the malware enables the creation of phony WordPress admin users, gathers data from the core hosts, and maintains backdoors for enduring access.

To find writable directories that relate to other websites, Balada Injector also does extensive checks from top-level directories connected to the hijacked website’s file system.

How was it actually discovered?

Palo Alto Networks Unit 42’s finding of a connected malicious JavaScript injection campaign that directs website visitors to adware and fake domains led to the discoveries. Since 2022, this has affected more than 51,000 websites.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.