Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023

In September 2023, over 17,000 WordPress websites fell victim to a malware known as Balada Injector, which marked a significant increase from the previous month, almost doubling the number of detections in August.

Out of these compromised websites, approximately 9,000 were infiltrated using a recently disclosed security vulnerability in the tagDiv Composer plugin (CVE-2023-3169, with a CVSS score of 6.1). This vulnerability allowed unauthenticated users to execute stored cross-site scripting (XSS) attacks.

According to Sucuri security researcher Denis Sinegubko, the Balada Injector group has a history of targeting vulnerabilities in tagDiv's premium themes. One of the earliest instances of a massive malware injection linked to this campaign dates back to the summer of 2017 when disclosed security flaws in Newspaper and Newsmag WordPress themes were actively exploited.

Balada Injector, a large-scale operation first identified by Doctor Web in December 2022, relies on exploiting various vulnerabilities in WordPress plugins to install a Linux backdoor on vulnerable systems.

The primary purpose of this implant is to redirect users of compromised websites to fake tech support pages, fraudulent lottery claims, and push notification scams. This campaign has affected over a million websites since its inception in 2017.

Balada Injector attacks follow a recurring pattern, with surges in infections typically occurring on Tuesdays following the initiation of a new wave during the weekend.

The recent breaches involved the exploitation of CVE-2023-3169 to inject a malicious script, ultimately establishing persistent access to the compromised sites. Attackers achieved this by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

Historically, these scripts have targeted logged-in WordPress site administrators, enabling attackers to carry out malicious actions with elevated privileges through the admin interface, including creating new admin users for subsequent attacks.

The ever-evolving nature of these scripts is evident in their ability to implant a backdoor in the 404 error pages of websites, capable of executing arbitrary PHP code. Alternatively, they can leverage code embedded in the pages to automatically install a malicious wp-zexit plugin.

Sucuri described this as "one of the most complex types of attacks" executed by the script since it mimics the entire process of plugin installation from a ZIP archive file and activation.

In terms of cybersecurity, the core functionality of the plugin serves as a backdoor, allowing the execution of remotely sent PHP code by threat actors.

In newer attack waves observed in late September 2023, attackers used randomized code injections to download and execute a second-stage malware from a remote server, installing the wp-zexit plugin. Additionally, obfuscated scripts were employed to transmit visitor's cookies to a URL controlled by the attackers, receiving unspecified JavaScript code in return.

According to Sinegubko, in these recent attacks, instead of relying on the tagDiv Composer vulnerability, attackers leveraged their backdoors and malicious admin users that were planted after successful attacks on website administrators. https://thehackernews.com/2023/10/over-17000-wordpress-sites-compromised.html