Massive Balada Injector Malware Campaign Infects Over 1 Million WordPress Sites

Reading Time: ( Word Count: )

April 10, 2023

A malicious campaign named Balada Injector has reportedly infected over one million WordPress websites since 2017. GoDaddy’s Sucuri has noted that the campaign exploits all known and recently discovered vulnerabilities in WordPress plugins and themes to infiltrate the sites. 

The attackers use a preference for String.fromCharCode puzzlement, along with freshly registered domain names hosting malicious scripts on random subdomains, and redirects to various scam sites to carry out the attacks. 

The malware generates fake WordPress admin users, harvests data in the underlying hosts, and leaves backdoors for continued access. In addition, the attacks search for tools like admirer and phpmyadmin that site administrators could have left behind upon completing maintenance tasks, enabling attackers to read or download arbitrary site files, including backups and database dumps, log, and error files.

Massive Balada Injector Malware

Also, Read; Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Furthermore, the Balada Injector campaign relies on over 100 domains and many methods to exploit known security flaws, including HTML injection and Site URLs. The attackers primarily attempt to obtain database credentials in the wp-config.php file, and the attacks engineer to read or download arbitrary site files. 

The compromised site’s top-level directories are further searched for writable directories that belong to other sites. Compromising just one site can grant access to several different sites for free. 

If these attack pathways are unattainable, the admin password is brute-forced through a batch of 74 predefined credentials. WordPress consumers must keep their website software up-to-date, uninstall unused plugins and themes, and use strong WordPress admin passwords.

The report comes after Doctor Web discovered a Linux malware family that exploits flaws in over two dozen plugins and themes to endanger vulnerable WordPress sites. Weeks later, Palo Alto Networks Unit 42 found a comparable vicious JavaScript injection campaign that redirects site visitors to adware and scam pages, affecting over 51,000 websites since 2022. 

The attackers use String.fromCharCode as a bafflement technique to inject malicious JS code on the homepages of detected websites, potentially targeting valid consumers as they are more likely to visit the website’s homepage.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *