A cyber attack campaign targeting WordPress websites has recently caused significant concern, with experts estimating that up to one million websites may have been compromised.
The campaign has been ongoing, using known vulnerabilities in themes and plugins to insert a malicious Linux backdoor.
While cybersecurity researchers have identified the backdoor as a “Balad Injector.” It appears that the campaign in question has been actively running since 2017, with its primary objective being to redirect users to various types of online scams, and these include:-
- Fake tech support pages
- Lottery scams
- Push notification fraud
Long-running Infection Waves
Sucuri has recently identified the Balad Injector campaign as the same one Dr. Web reported in December 2022.
This campaign exploits the vulnerabilities in multiple plugins and themes to insert a backdoor, allowing attackers to gain unauthorized access to affected websites.
Sucuri has reported that the Balad Injector campaign operates in waves, with attacks occurring approximately once a month. To evade blocking lists and other security measures, the attackers use a freshly registered domain name for each wave of attacks.
Like malware campaigns, the Balad Injector campaign often exploits recently disclosed vulnerabilities in various themes and plugins. The attackers behind the campaign create custom attack routines tailored to the specific flaw they are targeting.
The majority of these domain names are usually combinations of two or four English words that are made up of nonsense information like:-
- sometimesfree[.]biz
- destinyfernandi[.]com
- travelfornamewalking[.]ga
- statisticline[.]com
Injections are performed by the use of URLs on a variety of subdomains within the current wave domain, such as:-
- java.sometimesfree[.]biz/counter.js – active 2017
- slow.destinyfernandi[.]com/slow.js – active 2020
- main.travelfornamewalking[.]ga/stat.js – active 2021
- cdn.statisticline[.]com/scripts/sway.js – active 2023
The impact of the Balad Injector campaign on website security is significant, as evidenced by the fact that 32 domains associated with various waves of malware were responsible for 67.2% of all blocklisted resource detections recorded by SiteCheck in 2022.
These domains fully occupied the top five positions on the list of blocklisted resources, indicating the widespread and persistent nature of the campaign.
Here are the top-ranking domains with top most detection counts:-
- legendarytable[.]com: 18,102 Detections
- weatherplllatform[.]com: 13,133 Detections
- classicpartnerships[.]com: 10,726 Detections
- ads.specialadves[.]com: 8,295 Detections
- line.storerightdesicion[.]com: 7,899 Detections
Injection Methods
Sucuri has observed several injection methods used by the Balad Injector campaign to compromise WordPress websites. While these methods include:-
- Siteurl hacks
- HTML injections
- Database injections
- Arbitrary file injections
The Balad Injector campaign utilizes many attack vectors to compromise WordPress websites, resulting in duplicate site infections. In some cases, subsequent campaign waves have targeted sites that were already compromised.
Sucuri has identified instances of sites being attacked multiple times, with as many as 311 attacks observed on a single site. In one such case, 11 distinct versions of the Balad Injector malware were used to compromise the site.
Balada’s Activity
The Balad Injector campaign is designed to exfiltrate sensitive information from WordPress websites, focusing on stealing database credentials from wp-config[.]php files.
This allows threat actors to access compromised sites even if the site owner clears the initial infection and patches their add-ons.
In addition to targeting wp-config[.]php files, the Balad Injector campaign seeks to exfiltrate a variety of other sensitive information like:-
- Backup archives
- Databases
- Access logs
- Debug information
- Other sensitive files
The Balad Injector malware uses a variety of malicious methods, and among them, one such method involves searching for the presence of popular database administration tools like:-
If these tools are misconfigured or vulnerable, the attackers can use them to create new admin users, extract sensitive information, or inject persistent malware into the database.
The attackers turn to brute force attacks by trying out 74 combinations of credentials to guess the admin password if these accessible pathways are unavailable.
Once the Balad Injector malware has compromised a WordPress site, the attackers plant multiple backdoors to ensure persistent access and control.
These backdoors are hidden access points that provide a proxy for the attackers, meaning that even if one backdoor is discovered and removed, others may be in place to maintain access.
The Balada Injector malware is designed to be challenging to remove, making it a persistent threat to compromised WordPress sites.
One of the tactics used by the attackers is to drop backdoors into 176 predefined paths, creating multiple hidden access points that allow the attackers to maintain control of the site even after the initial infection has been removed.
The Balada Injector campaign also leverages cross-site infections to maintain access to cleaned-up sites.
By exploiting vulnerabilities in plugins and themes, the attackers can gain easy access to the underlying VPS hosting the site. Once they have this access, they can re-infect cleaned-up sites repeatedly as long as they maintain access to the VPS.
Recommendations
Here below, we have mentioned all the basic and regular recommendations offered by the security analysts at Sucuri:-
- Make sure to keep all the website software and plugins updated
- Also, do not forget to keep your installed themes updated.
- Always use strong and unique passwords.
- Ensure implementation of two-factor authentication.
- Make sure to add file integrity systems.
- Always take regular backups of your website database.
Why do Organizations need Unified endpoint management – Download Free E-books & Whitepapers
Related Read: