Multiple campaigns by the Balada Injector have compromised more than 117000 WordPress Sites Hacked vulnerabilities in premium theme plugins. Discovered in December 2022, the Balada Injector operation has been utilizing various exploits in well-known WordPress plugin and theme vulnerabilities to inject a Linux backdoor.
This backdoor redirects website visitors to fake tech support pages, fraudulent lottery winnings, and push notification scams, indicating its involvement in scam campaigns or its service for scammers.
Balada Injector’s History:
In April 2023, Sucuri reported that Balada Injector had been active since 2017 and had potentially compromised nearly one million WordPress sites.
The latest campaign targets the CVE-2023-3169 cross-site scripting (XSS) vulnerability in tagDiv Composer, a companion tool for tagDiv’s Newspaper and Newsmag themes for WordPress websites. Newspaper boasts 137,000 sales, and Newsmag has over 18,500, indicating a significant attack surface of 155,500 websites.
The attacks targeting CVE-2023-3169 began in mid-September, shortly after the vulnerability details were disclosed, and a proof-of-concept exploit was released. These attacks align with a campaign shared with BleepingComputer in late September, where numerous WordPress sites were found infected with a malicious plugin called wp-zexit.php. This plugin allowed threat actors to remotely send PHP code to be executed on compromised sites.
A tagDiv representative confirmed awareness of the flaw and advised users to install the latest theme to prevent attacks. They recommended additional security measures, such as installing a security plugin like Wordfence, scanning the website, and changing all passwords.
Sucuri’s report reveals that several thousand sites have already been compromised through CVE-2023-3169 exploitation. A distinct sign of the exploitation is a malicious script injected within specific tags, with the obfuscated injection found in the website’s ‘wp_options’ table.
Sucuri has identified six distinct attack waves, some with variants, which include:
- Compromising WordPress sites by injecting malicious scripts.
- Creation of rogue WordPress administrator accounts.
- Use of WordPress’s theme editor to embed backdoors.
- Installation of the wp-zexit plugin.
- Introduction of new domains and increased randomization.
- Use of promsmotion[.]com subdomains.
Sucuri detected Balada Injector on over 17,000 WordPress sites in September 2023, with more than half of the compromises achieved by exploiting CVE-2023-3169. The attacks show adaptability and rapid optimization by the threat actors.
To defend against Balada Injector, it is recommended to upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the vulnerability. Additionally, keeping all themes and plugins updated, removing dormant user accounts, and scanning files for hidden backdoors are essential security measures. Sucuri’s free scanner can help detect most Balada Injector variants for WordPress site owners.