Pierluigi Paganini
June 14, 2023
A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions.
In April 2023, Bleeping Computer and other tech outlets like TechRadar began circulating reports of cybercriminals successfully hacking WordPress websites. They were able to gain access via a toxic combination of the popular plugins Elementor Pro Premium (Webpage builder) and WooCommerce (Online storefront).
Initially attributed to security researcher Jerome Braundet of the Ninja Tech Network, this recently disclosed vulnerability produces a base 8.8 CVSS score (High), giving WordPress administrators and cybersecurity teams much to fret over.
As of May 2023, an official CVE designation is still pending. Websites running Elementor Pro 3.11.6 or earlier, alongside an activated WooCommerce plugin, are advised to upgrade ElementorPro to at least 3.11.7 or face the risk of authenticated users (think of standard e-commerce customers) achieving total control of websites by exploiting Broken Access Control — the most severe of OWASP’s Top 10 risks.
While reports of this vulnerability have circulated wildly across the interwebs, a lesser-known but directly related set of ‘hack-tivities’ has been occurring on a similar front against these and other standard WordPress plugins.
This article will focus on the widespread and highly persistent malware injector campaign “Balada,” which has reportedly infected over 1 million individual websites by exploiting weaknesses in Elementor Pro, WooCommerce, and several other WordPress plugins. This article will provide a brief history of the Balada Injector, its common objectives, common Indicators of Compromise (IoC), and a quick exploitation overview, including some general tips that organizations should adopt to avoid being the next victim.
Cybersecurity firm Sucuri has been tracking Balada Injector activity since 2017 but has only recently given this long-running campaign its name. Primarily leveraging functions written in the Go language, ‘Balada’, which translates to ‘Ballad’ in several languages, achieves initial infection through commonly known but unpatched WordPress plugins, themes, or other software vulnerabilities.
Balada then attempts to spread itself and maintain persistence by executing a series of rehearsed attacks, cross-site infections, and installation of backdoors, living up to its namesake. The Elementor Pro and WooCommerce compromise path allows authenticated users to modify WordPress configurations to create administrator accounts or inject URL redirects into website pages or posts. The malware then uses a kleptomaniacal scheme to harvest database credentials, archive files, log data, or valuable documents that aren’t adequately secured, while establishing numerous Command and Control (C2) channels for persistence.
Balada is not an overly shy malware campaign. Sucuri notes that injection activities follow a defined monthly schedule that generally starts on the weekend and ends around mid-week on a predictable cycle.
Balada favors exploiting Linux-based hosts, but Microsoft-based web servers like IIS are not immune. Adhering to practices seen in other contemporary malware campaigns, Balada leverages newly-registered domains consisting of random, unrelated words to entice clicks and user redirection to websites that deliver malicious payloads.
These websites will often take the guise of fake IT Support services, cash prize notifications, or even security verification services like CAPTCHAs. The below infographic summarizes the initial attack vectors that Balada will seek to exploit, services or plugins it attempts to abuse, and some of its more recognized persistence vectors. Defensive measures will be summarized towards the end of the article, as Balada is notoriously difficult to remove once it has embedded itself.
Sucuri’s research further established that Balada’s primary malware routine is typically located in the following path on compromised victim devices “C:/Users/host/Desktop/balada/client/main.go”. A semi-maintained Virus Total collection highlights common file hashes, URLs, and other indicators associated with Balada-delivered malware and its infections.
Balada also leverages a dated but recurring User-Agent “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36” which has been observed by Sucuri repeatedly in compromised machine logs starting in late 2020 and well into the current period. Balada activity has been associated with well over 100 unique domains since 2017. Balada leverages a “main.ex_domains” function to store and reuse domains for future attacks as successful infection or compromise occurs in monthly campaigns.
The below table highlights a small portion of the common domains observed in recently analyzed injector campaigns. Sucrui was contacted for comment in May 2023 to determine if an APT group was attributed to these attacks, with no formal response issued.
| cdn.statisticline[.]com/scripts/sway.js | actraffic[.]com | importraffic[.]com |
| collectfasttracks[.]com | followmyfirstone[.]com | digestcolect[.]com |
| primarylocationgo[.]com | starttrafficc[.]com | buyittraffic[.]com |
| cutttraffic[.]com | dexterfortune[.]com | jockersunface[.]com |
| destinyfernandi[.]com | requestfor4[.]com | balanceforsun[.]com |
The following section will highlight a high-level walkthrough demonstrating how a WordPress installation that leverages the vulnerable versions of Elementor Pro and WooCommerce can be exploited. The demonstration can be recreated on a Kali Linux VM, with a Bitnami WordPress Docker container running inside of Kali. It is not advised that readers attempt to recreate these conditions, attempt to download and use known vulnerable software in any capacity, or attempt these exploitation techniques against systems not owned by the reader. Proceed at your own risk!
Unauthenticated users can leverage the vulnerability by simply registering for a WooCommerce user account then querying the backend AJAX action as such:
“http(s)://vulnerablesite[.]com/wp-admin/?wc-ajax=1”.
After updating values such as “siteurl,” SQL queries can be generated to determine the destination specified and whether autoload is enabled. Certain web application firewalls (WAF) will purportedly provide adequate protections against exploitation but an upgrade from Elementor is suggested immediately if version 3.11.6 is in use.
So far, the article has covered how Balada seeks to achieve an initial compromise, the specific types of files and information it deems proper, and some common infection techniques. Organizations can consider some of the guidance below to help them prevent Balada infection or determine when infections may occur.
Some advice is self-evident, like ensuring web server hosts, website plugins, themes, or related software remain current and up to date. Some are less obvious, such as ensuring sound DNS security through solutions like Cisco Umbrella or DNSFilter. These capabilities exist to provide network-level or roaming client solutions that identify, then block redirection attempts and DNS requests to known malicious sites. Organizations should also enforce a strong password policy (complexity, 16+ characters, etc.), privileged users must satisfy multifactor authentication or other conditional access policies, and creating privileged accounts should generate alerts to appropriate teams. Organizations should also strongly consider implementing or routinely assessing the following:
If you want to read the summary give a look at the original post at
Original post @ https://cybernews.com/security/wordpress-malware-epidemic-balada-injector/
About the author: Adam Kohnke, Contributor at Cyber News
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Balada injector)
