Multiple Balada Injector campaigns have affected over 17,000 WordPress website using known flaws in premium plugins.
Balada Injector is an operation that exploits vulnerabilities in well-known WordPress plugins and themes to implant a Linux backdoor. This backdoor, once installed, redirects visitors of compromised websites to deceptive tech support pages, fraudulent lottery claims and push notification scams. It’s employed either as an integral component of scam campaigns or as a service available for purchase to cyber criminals.
It's believed that Balada Injector has been active since 2017 and estimated that nearly one million WordPress sites have been compromised.
Ongoing campaign
In the current campaign, threat actors are exploiting the CVE-2023-3169 cross-site scripting (XSS) vulnerability found in tagDiv Composer, a tool closely associated with tagDiv's Newspaper and Newsmag premium themes for WordPress sites.
Both Newspaper and Newsmag are widely used premium themes, boasting 137,000 and over 18,500 sales, respectively, according to statistics. This campaign potentially affects a significant attack surface of 155,500 websites, excluding pirated copies.
These themes are favoured by thriving online platforms with substantial traffic and robust operations.
The latest wave of attacks targeting CVE-2023-3169 commenced in mid-September, shortly after the vulnerability details were disclosed, along with the release of a proof-of-concept (PoC) exploit.
These attacks are consistent with a campaign reported in late September. During this time, administrators on Reddit shared their experiences of numerous WordPress sites being compromised by a malicious plugin named wp-zexit.php.
This plugin enabled threat actors to remotely transmit PHP code, which was then stored in the /tmp/i file and subsequently executed.
Furthermore, these attacks involved the injection of code into templates, resulting in user redirection to fraudulent websites that are controlled by the attackers.
In addition to updating the theme, the recommended course of action is to install a security plugin like Wordfence, perform a thorough website scan, and change all website passwords.
A report has shed new light on this campaign, cautioning that several thousand websites have already fallen victim to compromise.
A distinctive indicator of CVE-2023-3169 exploitation is the injection of malicious scripts within specific tags, with the obfuscated injection itself being in the 'wp_options' table of the website's database.
There have been six separate attack waves that have been observed, some of which include variants, as summarised below:
1. Compromising WordPress sites by injecting malicious scripts from stay.decentralappps[.]com. This flaw enabled the propagation of malicious code on public pages, affecting over 5,000 sites (4,000 and 1,000 in two variants).
2. Utilising a malicious script to create unauthorised WordPress administrator accounts. Initially, the username 'greeceman' was employed, but the attackers switched to auto-generated usernames based on the site's hostname.
3. Exploiting WordPress's theme editor to embed backdoors within the Newspaper theme's 404.php file for inconspicuous persistence.
4. Transitioning to the installation of the previously mentioned wp-zexit plugin, which mimics WordPress admin behaviour and conceals the backdoor within the website's Ajax interface.
5. Introduction of three new domains and increased randomness in the injected scripts, URLs, and codes, making tracking and detection more challenging. One specific injection from this wave affected 484 sites.
6. Shifting attacks to use promsmotion[.]com subdomains instead of stay.decentralappps[.]com, with deployment limited to three specific injections detected in 92, 76, and 67 websites.
In general, the presence of Balada Injector has been detected on over 17,000 WordPress sites in September 2023, with more than half (9,000) being compromised through the exploitation of CVE-2023-3169.
These attack waves were swiftly fine-tuned, highlighting the threat actors' ability to quickly adapt their tactics for maximum impact.
To protect against Balada Injector, it is strongly advised to update the tagDiv Composer plugin to version 4.2 or later, which addresses the mentioned vulnerability.
Ensure all themes and plugins are up to date, eliminate inactive user accounts, and conduct file scans to detect hidden backdoors.
