Pierluigi Paganini October 13, 2023

In September more than 17,000 WordPress websites have been compromised by the Balada Injector malware.

Sucuri researchers reported that more than 17,000 WordPress websites have been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Sucuri states that in recent attacks, the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

“We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.” states the report published by Sucuri. “September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.”

In the recent campaign, threat actors exploited a cross-site scripting (XSS) vulnerability, tracked as CVE-2023-3169, in tagDiv Composer

“The obfuscated injection itself can be found in the “td_live_css_local_storage” option in the wp_options table of the WordPress database.” continues Sucuri.

The researchers observed several attack waves; Is some attacks the malicious script was injected through stay.decentralappps[.]com. The first variation of this injection is detected on over 4,000 sites, while a second variation is on another 1,000+ sites.

In another wave, the threat actors were observed using a malicious script to create rogue WordPress administrator accounts. In the first attacks, the threat actors used the username ‘greeceman’, but later started using auto-generated usernames based on the site’s hostname.

In other attacks, threat actors planted a backdoor in the Newspaper theme’s 404.php file.

Then the attackers switched to wp-zexit plugin installation and concealed the backdoor in the website’s Ajax interface.

On September 21, 2023, the Balada Injector operators registered three new domains within a period of 7 seconds.

In other attacks, experts observed randomized injections in tdw-css-placeholder and is most recent infections decoded scripts tried to load the next-stage malware from different URLs on multiple different subdomains of the three new Balada domains.

Researchers recommend administrators upgrade the tagDiv Composer plugin to version 4.2 or later, to address the above vulnerability.

Other recommendations include keeping WordPress components (themes and plugins) updated, remove dormant user accounts, and scan your files for hidden backdoors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)