Over a Million WordPress Websites Compromised by Balada Injector Malware Campaign

WordPress Websites having a Malware attacks WordPress Websites having a Malware attacks MS Bing Image Creator

A large-scale malware campaign, known as Balada Injector, has been infecting WordPress websites since 2017, impacting more than one million sites. This persistent cyber threat exploits theme and plugin vulnerabilities, leading to compromised site security and exposing sensitive user information.

The Balada Injector malware campaign has been active since 2017, infecting an estimated one million WordPress websites. According to GoDaddy's Sucuri, this massive operation takes advantage of all known and recently discovered theme and plugin vulnerabilities to infiltrate WordPress sites. The attacks occur in waves, typically once every few weeks.

Security researcher Denis Sinegubko notes that the campaign is easily identifiable by its preference for String.fromCharCode obfuscation, the use of newly registered domain names hosting malicious scripts on random subdomains, and redirects to various scam sites. These sites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to enable notifications to verify they are not robots, allowing the threat actors to send spam ads.

This report follows recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in over two dozen plugins and themes to compromise vulnerable WordPress sites. Throughout the years, Balada Injector has used over 100 domains and a variety of methods to exploit known security flaws (e.g., HTML injection and Site URL). The attackers mainly attempt to obtain database credentials in the wp-config.php file.

Moreover, the attacks are designed to read or download arbitrary site files, including backups, database dumps, log and error files, and search for tools like adminer and phpmyadmin that may have been left behind by site administrators after completing maintenance tasks.

The malware ultimately allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. Balada Injector also conducts broad searches from top-level directories associated with the compromised website's file system to locate writable directories belonging to other sites.

Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions," Sinegubko explains. "In this manner, compromising just one site can potentially grant access to several other sites 'for free.

If these attack pathways are unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are advised to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.

This revelation comes just weeks after Palo Alto Networks Unit 42 discovered a similar malicious JavaScript injection campaign affecting more than 51,000 websites since 2022. The activity also employs String.fromCharCode as an obfuscation technique, leading victims to booby-trapped pages that trick them into enabling push notifications by disguising as a fake CAPTCHA check to serve deceptive content.

The injected malicious JS code was included on the homepage of more than half of the detected websites," Unit 42 researchers report. "One common tactic used by the campaign's operators was to inject malicious JS code on frequently used JS filenames (e.g., jQuery) that are likely to be included on the homepages of compromised websites.

This potentially helps attackers target the website's legitimate users, as they are more likely to visit the website's home page.

Conclusion: The Balada Injector malware campaign serves as a reminder of the importance of maintaining strong security measures for WordPress websites. To protect their sites, users should keep software up-to-date, remove unused plugins and themes, and use robust admin passwords.

Rate this item
(0 votes)
K Dinesh Kumara

Founder of PC World Online Magazine

I'm an educator, entrepreneur, and career guidance officer. I'm interested in ICT, psychology, financial literacy, meditation, and yogic sciences. My hobbies are discovering, learning, experiencing, sharing, and exiling.

Leave a comment

Attention readers: Starting from 15-05-2023, we will be reviewing all comments submitted through our website's comment section before publishing them. This change is due to the increased volume of spam comments we have been receiving. We appreciate your understanding and apologize for any delays this may cause. Thank you for your continued support and valuable contributions to our platform.

Dear valued users,

We welcome you to the PC World Magazine Website and appreciate your interest in commenting on our articles. This platform is intended for thoughtful discussions and exchanging ideas and information related to the topic of the article. However, please be mindful that we do not tolerate any illegal activities or marketing purposes. Misusing the comment section for such purposes will result in the immediate removal of the comment and could result in the termination of your account. We ask that you keep your comments respectful, on-topic, and relevant to the article. Additionally, please do not post personal information, hate speech, or offensive content. Thank you for your cooperation in creating a positive and productive environment for all users on the PC World Magazine Website.

Best regards,
PC World Magazine Team

The Technology Video of The Day

Email Newsletter Subscription

Fill out the subscription form by providing your email address and name. Click on the "Subscribe" button to complete the process.


Receive HTML?

Thank you for choosing to stay updated with our latest news and offerings!
Joomla Extensions powered by Joobi

Articles Calendar

« May 2023 »
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Articles Archive

Go to top