The Balada Injector is still at large and still evading security software by utilizing new domain names and using new obfuscation.
During a routine web monitoring operation, we discovered an address that led us down a rabbit hole of WordPress-orientated “hack waves” caused by the Balada Injector malware. This evidence suggests that the malware is still at large and still evading security software by utilizing new domain names and slight changes between the waves of obfuscated attacks.
How Ballada Injector works
The starting point of the research that ensued following the discovery was a website at address spatialreality[.]com which appeared during routine web monitoring. The address led to what appeared to be a WordPress-powered website, which, upon visiting, downloaded a PHP file onto the user’s computer instead of serving the landing page.
While PHP files are usually processed by a website’s back-end, this time it was downloaded instead, due to syntax errors within it. This revealed to us the injected exploit code responsible for remote access to infected machines and redirect-based malvertising scheme control. Within the file, there were seven brackets of PHP tags and each of them contained an obfuscated piece of code within.
The PHP tags were stacked on top of each other, having legitimate code of the website at the very bottom. Therefore, if the syntax was correct, it ran the malicious code before serving the actual website being visited.
Upon further inspection, we were able to ascertain that the initial website we were investigating had fallen susceptible to at least seven waves of these automated attacks by one or more malware operators and had four different payloads within the investigated file, each of which was delivered through successful vulnerability exploitation.
The Balada injector is a malware family known to be active from 2017 to the present day. It employs multiple attack vectors and persistence mechanisms. For example, in the researched case, we noticed a likely outcome of seven automated attack waves against a vulnerable WordPress website, each adding a block of malicious PHP code straight into the index file of the compromised website, which executes the malicious scripts upon being visited. Fortunately for us, the automated attack waves seem to lack functionality for evaluating whether the site has been compromised before. This results in situations where, rather than executing malicious code injected by the attackers, a file is downloaded instead of containing the injected payload.
The scripts referenced above requested the execution of subsequent scripts from other addresses. The scripts were responsible not only for causing website redirection – resulting in the monetary gain of the threat actor on questionable reputation websites – but also for having the capability to read and write cookies on the end-user’s device. Furthermore, they attempted to track the user and install malicious extensions or other software on the end user’s device.
The scripts loaded through descriptionscripts[.]com addresses listed previously subsequently loaded other scripts from the following URLs:
PublicWWW reported the following statistics when queried with malicious script URLs:
It seems that the attackers use randomly generated domains bought via providers that allow anonymous purchases. They also consistently switch them when old ones get detected and flagged as malicious. Malware operators also utilize the rental of “virtual private servers” and “shared hosting” services from various hosting providers in countries such as Ukraine and Germany, where the scripts were hosted. Certain specific indicators reveal that all of the domains and subdomains implicated in the attack are linked to the same threat actor. Some of these domains are interconnected during the script execution phases, as they call upon one another. Additionally, some of them exhibit similar methods of obfuscation and exploitation, suggesting their interconnection. Furthermore, some of these domains either share the same IP address or possess a shared SSL certificate, as illustrated in the table presented below.
Significance to web users
Balada Injector is a serious threat to web users as it affects vulnerable versions of WordPress based websites (WordPress based websites amount to almost 43% of all known websites). The malware family is known to operate since 2017 and remains at large, as described by Sucuri in the articles linked below.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.