The Balada Injector malware is alive and kicking, and compromising poorly protected WordPress websites across the internet, as well as using them to target visitors, new research has claimed.
A report from researchers at Cybernews claims to have found a compromised WordPress website during a “routine web monitoring operation”.
The compromised website was apparently targeted by the Balada Injector malware – a Linux-based backdoor used to infiltrate websites through common or otherwise known vulnerabilities in WordPress plugins, themes, and similar vulnerabilities. The Balada Injector is known for attacking in “waves” – every month or so, the injector would use a new domain name, and a new code, which it would try to add to the WordPress site’s code.
Waves of attacks
This particular site has had seven different instances of malicious code added and stacked on top of one another. That means that the website suffered seven “waves” of hacking attacks. This code, which was added to the very top of the page and would run before the website loaded, was meant to grant the attackers remote access to infected machines and redirect visitors to different websites with malvertising campaigns running.
When the researchers deobfuscated and examined some of the PHP payloads found on the compromised website, they discovered URLs of newly spawned Command & Control (C2) endpoints, and subsequent obfuscated JavaScript files, used in the operation scheme. A total of five URLs were found being accessed to load malicious JavaScript onto exploited websites, the researchers said.
The good news for potential victims is that the Balada Injector still isn’t as advanced as it could be. It doesn’t check if compromised websites have had malicious code added before, and because of that, instead of serving the landing page, the website forced the download of a PHP file, which raised red flags with the researchers and, at the end of the day, helped discover the hacking campaign.