A malicious campaign named Balada Injector has reportedly infected over one million WordPress websites since 2017. GoDaddy’s Sucuri has noted that the campaign exploits all known and recently discovered vulnerabilities in WordPress plugins and themes to infiltrate the sites.
The attackers use a preference for String.fromCharCode puzzlement, along with freshly registered domain names hosting malicious scripts on random subdomains, and redirects to various scam sites to carry out the attacks.
The malware generates fake WordPress admin users, harvests data in the underlying hosts, and leaves backdoors for continued access. In addition, the attacks search for tools like admirer and phpmyadmin that site administrators could have left behind upon completing maintenance tasks, enabling attackers to read or download arbitrary site files, including backups and database dumps, log, and error files.
Furthermore, the Balada Injector campaign relies on over 100 domains and many methods to exploit known security flaws, including HTML injection and Site URLs. The attackers primarily attempt to obtain database credentials in the wp-config.php file, and the attacks engineer to read or download arbitrary site files.
The compromised site’s top-level directories are further searched for writable directories that belong to other sites. Compromising just one site can grant access to several different sites for free.
If these attack pathways are unattainable, the admin password is brute-forced through a batch of 74 predefined credentials. WordPress consumers must keep their website software up-to-date, uninstall unused plugins and themes, and use strong WordPress admin passwords.
The attackers use String.fromCharCode as a bafflement technique to inject malicious JS code on the homepages of detected websites, potentially targeting valid consumers as they are more likely to visit the website’s homepage.