Balada Injector Malware Targets Websites Using WordPress

According to GoDaddy's Sucuri, a massive campaign named Balada Injector has infected more than one million WordPress websites with malware since 2017. The attackers use various methods and vulnerabilities to breach WordPress sites, including theme and plugin vulnerabilities. The attacks occur in waves every few weeks and are easily identifiable by their use of String.fromCharCode obfuscation, domain names hosting malicious scripts, and redirects to scam sites.

The malware is designed to generate fake WordPress admin users, harvest data stored on the hosts, and leave backdoors for persistent access. The attackers also search for writable directories belonging to other sites associated with the compromised website's file system. The attacks include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages that prompt users to turn on notifications to verify that they are not robots, enabling the attackers to send spam ads.

Balada Injector has relied on over 100 domains and various methods, such as HTML injection and Site URL, to exploit known security flaws. The attackers mainly aim to obtain database credentials stored in the wp-config.php file. The malware can read or download arbitrary site files, including backups, database dumps, log and error files, and search for tools such as adminer and phpmyadmin left behind by site administrators.

Recently, Palo Alto Networks Unit 42 discovered a similar malicious JavaScript injection campaign that redirects visitors to adware and misleading pages. Over 50,000 websites have been affected since 2022.

How Can Hackers Compromise Legitimate Pages Using Code Injection?

Hackers can compromise legitimate pages using code injection by exploiting vulnerabilities in the code or software used to build the website. There are several types of code injection attacks, such as SQL injection, Cross-Site Scripting (XSS), and Remote File Inclusion (RFI).

SQL injection involves inserting malicious SQL code into a website's database query, which can allow an attacker to bypass authentication, retrieve sensitive information, or modify the database.

XSS is a type of injection attack that targets users visiting a website, rather than the website itself. Attackers inject malicious scripts into web pages viewed by users, allowing them to steal session cookies, redirect users to phishing sites, or steal login credentials.

RFI involves injecting malicious code into a web page by exploiting a vulnerability in a web application's file include mechanism. This allows the attacker to execute remote code on the server, which can lead to complete control of the web server and sensitive information being exposed.

Hackers can also use code injection to insert malicious code into legitimate websites that can lead to the spread of malware or phishing attempts. To prevent code injection attacks, it is important to keep web applications and plugins up to date, validate user input, and use secure coding practices.