Balada Injector continues to infect thousands of WordPress sites

Pierluigi Paganini January 15, 2024

Balada Injector malware infected more than 7100 WordPress sites using a vulnerable version of the Popup Builder plugin.

In September, Sucuri researchers reported that more than 17,000 WordPress websites had been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August 2023.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

In September, Sucuri reported that the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

On December 11, 2023 WPScan published a report on the stored XSS vulnerability in the popular Popup Builder plugin (200,000+ active installation) that was addressed in version 4.2.3. Attackers can exploit the vulnerability to perform malicious actions on behalf of the logged‑in administrator they targeted. An attacker for example can create a new rogue Administrator user.

Sucurity reported that on December 13th, the Balada Injector campaign started infecting websites using older versions of the Popup Builder (CVE-2023-6000, CVSS score 8.8). Threat actors used a recently registered (December 13) domain specialcraftbox[.]comAt the time of writing PublicWWW detects the injection on over 7100 websites. 

In the attacks monitored by Sucuri, the injection is added as a handler for the “sgpbWillOpen” event that is triggered right before the hijacked popup opens. Administrators can find it (and remove it) in the “Custom JS or CSS” of the Popup Builder section of the WordPress admin interface.

In the recent wave of attacks, if threat actors detect logged-in admin cookies, they exploit the issue to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) and load a second-stage payload from specialcraftbox[.]com.

The payload is a backdoor that is saved to the sasas file in the system temporary directory. Then the file is executed and deleted from disk.

“The sasas file is responsible for the secondary infection. It checks up to 3 levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account.” concludes the report. “Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability.”

Balada Injector malware

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Balada Injector)

you might also like

leave a comment