SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

Balada Injector continues to infect thousands of WordPress sites

by Valentin / Monday, 15 January 2024 / Published in RSS blog posts

Cyber Security BlogsBalada Injector malware infected more than 7100 WordPress sites using a vulnerable version of the Popup Builder plugin.

In September, Sucuri researchers reported that more than 17,000 WordPress websites had been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August 2023.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

In September, Sucuri reported that the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

On December 11, 2023 WPScan published a report on the stored XSS vulnerability in the popular Popup Builder plugin (200,000+ active installation) that was addressed in version 4.2.3. Attackers can exploit the vulnerability to perform malicious actions on behalf of the logged‑in administrator they targeted. An attacker for example can create a new rogue Administrator user.

Sucurity reported that on December 13th, the Balada Injector campaign started infecting websites using older versions of the Popup Builder (CVE-2023-6000, CVSS score 8.8). Threat actors used a recently registered (December 13) domain specialcraftbox[.]com. At the time of writing PublicWWW detects the injection on over 7100 websites. 

In the attacks monitored by Sucuri, the injection is added as a handler for the “sgpbWillOpen” event that is triggered right before the hijacked popup opens. Administrators can find it (and remove it) in the “Custom JS or CSS” of the Popup Builder section of the WordPress admin interface.

In the recent wave of attacks, if threat actors detect logged-in admin cookies, they exploit the issue to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) and load a second-stage payload from specialcraftbox[.]com.

The payload is a backdoor that is saved to the sasas file in the system temporary directory. Then the file is executed and deleted from disk.

“The sasas file is responsible for the secondary infection. It checks up to 3 levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account.” concludes the report. “Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Balada Injector)

​Read More

  • Tweet

About Valentin

What you can read next

A peek behind the curtain: How are sock puppet accounts used in OSINT?
Smashing Security podcast #355: Fishy Rishi, 23andMe, and the labour of love
Why Prioritizing Digital Security Matters

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP