In September 2023, more than 17,000 WordPress websites fell victim to a malware called Balada Injector, which is nearly double the number of detections compared to August. Out of these compromised websites, around 9,000 were infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1). This vulnerability allowed unauthorized users to exploit stored cross-site scripting (XSS) attacks.
Denis Sinegubko, a security researcher at Sucuri, noted that this is not the first time the Balada Injector gang has targeted vulnerabilities in tagDiv’s premium themes. In the summer of 2017, a significant malware injection campaign took place, exploiting security bugs in Newspaper and Newsmag WordPress themes.
Balada Injector is a large-scale operation initially discovered by Doctor Web in December 2022. The threat actors behind this malware exploit various vulnerabilities in WordPress plugins to deploy a Linux backdoor on vulnerable systems. The primary purpose of this implant is to redirect users of compromised sites to fraudulent tech support pages, lottery scams, and push notification scams. Since 2017, over a million websites have been impacted by this campaign.
Attacks involving Balada Injector typically occur in recurring waves, with a surge in infections detected on Tuesdays following the start of a wave during the weekend.
In the latest set of breaches, the attackers exploited CVE-2023-3169 to inject a malicious script and gain persistent access to the compromised sites. They achieve this by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
Historically, the scripts have primarily targeted logged-in WordPress site administrators, allowing the adversaries to perform malicious actions with elevated privileges through the admin interface. This includes creating new admin users that can be used for subsequent attacks.
The scripts used by Balada Injector are continually evolving. They can plant a backdoor in the websites’ 404 error pages, capable of executing arbitrary PHP code. Alternatively, they can leverage code embedded into the pages to automatically install a malicious wp-zexit plugin. This plugin mimics the process of installing a plugin from a ZIP archive file and activates it. Its core functionality is the same as the backdoor, executing remotely sent PHP code provided by the threat actors.
Newer attack waves observed in late September 2023 involve the use of randomized code injections to download and launch a second-stage malware from a remote server, installing the wp-zexit plugin. Additionally, obfuscated scripts are used to transmit visitor’s cookies to an actor-controlled URL and receive unspecified JavaScript code in return.
In this latest series of attacks, instead of exploiting the tagDiv Composer vulnerability, the attackers leveraged their backdoors and malicious admin users that were planted after successful attacks against website admins, as explained by Denis Sinegubko of Sucuri.
CyberSec84 | Cybersecurity news. 
Leave a comment