Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised by a malware called Balada Injector.
Before Balada Injector it was not the first time sites built in WordPress were compromised; Unfortunately, despite being (at least largely) Open Source, a platform like WordPress is also available is far from invulnerable to attacks, especially if these use particular scripts (JavaScript, in this case, which theoretically is within the reach of almost anyone).
What we know about Balada Injector and how it attacks sites built using WordPress
Documented for the first time by Doctor Web in January 2023, the campaign unfolds in a series of periodic waves of attacks, exploiting security vulnerabilities in WordPress plugins to inject backdoors designed to redirect visitors of infected sites to fictitious tech support pagesfraudulent lottery winnings, and push notification scams.
Following discoveries carried out by Sucuri have revealed the wide scope of the operation, which according to experts seems to have been active since 2017 and has infiltrated no less than 1 million sites since then.
The website security company owned by GoDaddy, which has detected Balada Injector's last activity on December 13, 2023, said it identified injections on over 7,100 sitthe.
These attacks exploit a serious flaw in Popup Builder (CVE-2023-6000CVSS score: 8.8), i.e. a plugin with over 200,000 active installations, which was made public by WPScan a day earlier. The problem has been fixed in version 4.2.3.
“When successfully exploited, this vulnerability could allow attackers to perform any action permitted to the logged in administrator they targeted on the site, including installing arbitrary plugins and creating new fraudulent administrator users“, has said WPScan researcher Marc Montpas.
The ultimate goal of the campaign is to inject a malicious JavaScript file hosted on specialcraftbox[.]as use it to take control of the website and load additional JavaScript in order to facilitate malicious redirects.
Furthermore, the threat actors behind Balada Injector are known to establish persistent control over compromised sites by loading backdoors, adding malicious plugins, and creating fraudulent blog administrators, and this is often accomplished using JavaScript injections to specifically target site administrators with access.
“The idea is that when a blog administrator accesses a website, your browser contains cookies that allow you to carry out all your administrative tasks without having to authenticate on each new page“said Sucuri researcher Denis Sinegubko last year, adding: “So if their browser loads a script that tries to emulate the administrative task, they will be able to do almost anything that can be done through the WordPress admin interface.”
The new wave is no exception as, if logged in administration cookies are detected, exploits elevated privileges to install and activate a fraudulent backdoor plugin (“wp-felody.php” or “Wp Felody”) in order to retrieve a second-level payload from the previously mentioned domain.
The payload, another backdoor, is saved with the name “sasas” in the directory where temporary files are stored and is then executed and deleted from disk.
“Check up to three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account“, Sinegubko said and concluded by saying: “Then, in the root directories of the detected site, edit the
wp-blog-header.php file to inject the same JavaScript malware as Balada which was originally injected via the Popup Builder vulnerability.”
#Balada #Injector #malware #attack #WordPress #sites
