A campaign that has infected over one million Wordpress sites using the Balada Injector has been found out to be active since at least 2017. It leverages all known and recently discovered theme and plugin vulnerabilities to breach these sites where the attacks are usually carried out in waves coming once every few weeks.
According to Sucuri security researcher Denis Sinegubko, the campaign spreads by freshly registered domain names hosting different malicious scripts on random subdomains and by redirects to various scam sites including but not limited to fake tech support, rogue Captcha pages and fraudulent lottery wins among other sites.
These malicious pages ask users to enable site notifications by tricking them into clicking accept on the notification permission under the guise of human verification. Once notification permissions are granted, the threat actors can spam victims with ads.
In the last six years, the Balada Injector has used over 100 domains and many different techniques to exploit known security vulnerabilities all with the single goal of extracting the site database credentials hosted in the wp-config.php file. The file is essential to Wordpress sites as it contains all the necessary configuration information and credentials to keep a site running.
These attacks are also set up to read or download any site files that might come in handy later. These include backups, database dumps, error logs and just about anything that can give an insight into the target site’s functioning. Additionally, they also search for the presence of tools phpmyadmin and adminer that are often used in configuration and maintenance tasks by site admins.
Successful exploit results in the generation of fake Wordpress users that can log in to the site and leave backdoors for later access while also harvesting any data stored in the host server. Further, in case the host server has other websites running on the same server account with the same credentials and file permissions, compromising one site can lead to multiple other websites being breached for no additional work.
In 2022 alone, Sucuri reports that their external website scanner SiteCheck detected the Balada malware over 141,000 times with over 67% of websites with blocklisted resources loading scripts from previously known Balada domains. Researchers have over 100 signatures including both front-end and back-end variations of the malware that have been injected into various server files and Wordpress databases scattered around the internet.