Introduction
In the month of September 2023, the cybersecurity landscape witnessed a significant surge in cyber threats, particularly affecting WordPress websites. A notorious malware strain, known as Balada Injector, wreaked havoc by compromising over 17,000 websites during this period. This marked a concerning escalation, nearly doubling the number of detections compared to the previous month. Among the compromised websites, an alarming 9,000 fell victim to the exploitation of a recently disclosed security flaw in the popular tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1), allowing unauthenticated users to execute stored cross-site scripting (XSS) attacks.
Historical Context
Balada Injector has a troubling history of targeting vulnerabilities in tagDiv's premium themes. Sucuri security researcher Denis Sinegubko emphasized that this wasn't the first time the Balada Injector gang exploited security flaws in tagDiv's themes. The campaign traces back to the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused, showcasing the persistence and adaptability of this malicious operation.
Balada Injector's Modus Operandi
Balada Injector, initially discovered by Doctor Web in December 2022, operates as a large-scale campaign exploiting various WordPress plugin vulnerabilities to deploy a Linux backdoor on susceptible systems. The primary objective of the implanted malware is to redirect users of compromised sites to fraudulent tech support pages, deceptive lottery wins, and push notification scams. Shockingly, the campaign has impacted more than a million websites since its inception in 2017.
Attack Patterns and Techniques
The Balada Injector attacks unfold in distinct waves, recurring every few weeks. An interesting pattern emerges, with a surge in infections detected on Tuesdays following the initiation of a wave during the weekend. The latest breaches highlight the exploitation of CVE-2023-3169, wherein a malicious script is injected to establish persistent access over the compromised sites. The attackers employ various techniques, such as uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
Evolving Tactics
The sophistication of Balada Injector is evident in its evolving tactics. Historically, the malware targeted logged-in WordPress site administrators, enabling adversaries to perform malicious actions with elevated privileges. The scripts have the capability to plant a backdoor in 404 error pages, executing arbitrary PHP code or installing a malicious wp-zexit plugin automatically. Sucuri describes this as "one of the most complex types of attacks," as it mimics the entire process of installing a plugin from a ZIP archive file and activating it.
Advanced Script Functionality
In a continuous cat-and-mouse game with cybersecurity experts, newer attack waves observed in late September 2023 involve the use of randomized code injections. These injections download and launch a second-stage malware from a remote server to install the wp-zexit plugin. Additionally, obfuscated scripts are employed to transmit visitor's cookies to an actor-controlled URL, fetching unspecified JavaScript code in return.
Conclusion
The Balada Injector threat is escalating, showcasing a relentless pursuit of exploiting WordPress vulnerabilities for malicious purposes. Website administrators and security professionals must remain vigilant, implementing robust security measures to thwart these evolving attacks. As the Balada Injector gang adapts and refines its techniques, the cybersecurity community faces an ongoing challenge to stay one step ahead in safeguarding the integrity of WordPress websites.
0 Comments