Website security company Sucuri has reported that a long-lasting malware campaign named Balada Injector has infected an estimated one million WordPress websites. The malware exploits known and recently discovered theme and plugin vulnerabilities to plant a backdoor that allows hackers to exfiltrate sensitive information.
The campaign started in 2017 and aims to redirect users to fake tech support pages, fraudulent lottery wins, and push notification scams.
Sucuri says that the malware attack in waves, usually once a month, and uses freshly registered domain names to evade blocking lists. The malware employs several injection methods, including siteurl hacks, HTML injections, database injections, and arbitrary file injections.
The campaign has created duplicate site infections, with subsequent waves targeting already compromised sites.
Balada’s scripts focus on exfiltrating sensitive information such as database credentials from wp-config.php files, seeking backup archives and databases, access logs, debug info, and files containing sensitive information.
The malware also looks for the presence of database administration tools like Adminer and phpMyAdmin, which could be used to create new admin users, extract information from the site, or to inject persistent malware onto the database.
The Balada Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers. The names of the planted backdoors change in each campaign wave to make detection and removal more difficult for website owners. The researchers believe that the hackers uploaded the malware on websites “hosted on a private or virtual private servers that shows signs of not being properly managed or neglected.”
Defending against Balada Injector attacks may differ from one case to another, but Sucuri’s general WordPress malware cleanup guides should be enough to block most of the attempts.
