Over the past few years, an ongoing malware campaign called Balada Injector has affected over a million WordPress websites.
Image Source: The Hacker News
This massive campaign is known for leveraging all known and recently discovered theme and plugin vulnerabilities to breach WordPress sites. According to GoDaddy’s Sucuri, the attacks play out in waves once every few weeks. The attackers use various obfuscation techniques and fake domains to redirect users to scam sites, fake tech support, and rogue CAPTCHA pages.
Security researcher Denis Sinegubko said that “This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites.” The malware ultimately allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access.
The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites. In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file.
Additionally, the attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools like adminer and phpmyadmin that could have been left behind by site administrators upon completing maintenance tasks.
If these attack pathways turn out to be unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are, therefore, recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
The findings highlight the need for website owners to keep their website software up-to-date and remove unused plugins and themes to prevent attackers from exploiting known security flaws. By doing so, WordPress users can reduce their risk of falling victim to attacks like Balada Injector and similar campaigns.
Balada Injector malware campaign is a serious threat to WordPress sites, having infected over a million websites. Website owners should take steps to protect themselves, such as keeping their software up-to-date and removing unused plugins and themes.
Download WordPress: Website
More tech news: Click Here
Thanks for your time being here, please share the post to support us 🙂