Over 17,000 WordPress websites have been compromised as a result of the notorious Balada Injector attack. The Balada Injector, discovered in 2022 but thought to have been active since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to install malicious backdoors.
Following infection, these backdoors redirect website users to fake tech help pages, bogus lottery winnings, fraudulent push notification hoaxes, and other scams.
With such a wide range of deceptive techniques, experts believe that Balada Injector is either a service offered to other threat actors or a direct component of a scam operation.
The recent wave of attacks is being blamed on the tagDiv Composer plugin's CVE-2023-3169 cross-site scripting (XSS) vulnerability. This plugin is found on an estimated 155,000 websites with the Newspaper and Newsmag WordPress themes, both premium products, laying the groundwork for possible attacks.
This effort started in September, following the public disclosure of the vulnerability and the publishing of a proof-of-concept.
In a recent analysis, website security firm Sucuri exposed the extent of the infiltration, citing specific indications of the attack, such as a malicious script located within separate tags. Sucuri discovered six different attack waves:
Over 5,000 websites were compromised by malicious script injections from stay.decentralappps[.]com.
- Making rogue WordPress administrator accounts with the login "greeceman" at first, then switching to ones that are automatically produced based on website hostnames.
- By using the WordPress theme editor to make changes to the 404.php file for the Newspaper theme, you can gain persistence covertly.
- The installation of the deceptive wp-zexit plugin, which emulates authorised WordPress administrator activities.
- Three new malicious domains with higher obfuscation were introduced, complicating detection attempts.
- Using promsmotion[.]com subdomains instead of the preceding domain, three distinct injection methods were discovered on a total of 235 websites.
The CVE-2023-3169 vulnerability was used to compromise over 9,000 of the 17,000 compromised sites, demonstrating the attackers' tremendous effectiveness and ability to adapt quickly for maximum impact.
Webmasters and site owners should immediately upgrade the tagDiv Composer plugin to version 4.2 or later, which addresses the known flaw. Regular upgrades to themes, plugins, and all website components remain critical in protecting against such formidable threats.
