WordPress is no stranger to cyberattacks, and has now suffered another exploit, through which over one million sites have been infected. This malicious campaign has taken place using a kind of malware known as Balada Injector. But how does this malware work, and how did it manage to infect over a million WordPress sites?
The Basics of Balada Injector Malware
Balada Injector (first coined such in a Dr.Web report) is a malware program that’s been in use since 2017, when this huge WordPress infection campaign began. Balada Injector is a Linux-based backdoor malware used to infiltrate websites.
Backdoor malware and viruses can bypass typical login or authentication methods, allowing the attacker to access the developer end of a website. From here, the attacker can make unauthorized changes, steal precious data, and even shut the site down entirely.
Backdoors exploit weaknesses in websites in order to gain unauthorized access. Many websites out there have one or more weaknesses (also known as security vulnerabilities), so many hackers don’t have a hard time finding a way in.
So, how did cybercriminals manage to compromise over a million WordPress sites using Balada Injector?
How Did Balada Infect Over a Million WordPress Sites?
In April 2023, cybersecurity firm Sucuri reported on a malicious campaign it had been tracking since 2017. In the Sucuri blog post, it was stated that, in 2023, the company’s SiteCheck scanner detected the presence of Balada Injector over 140,000 times. One website was found to have been attacked a shocking 311 times using 11 different variations of Balada Injector.
Sucuri also stated that it has “more than 100 signatures covering both front-end and back-end variations of the malware injected into server files and WordPress databases.” The firm noticed that the Balada Injector infections typically take place in waves, spiking in frequency every few weeks.
To infect so many WordPress sites, Balada Injector specifically targeted vulnerabilities within the platform’s themes and plugins. WordPress offers thousands of plugins for its users, and a wide range of interface themes, some of which have been targeted by other hackers in the past.
What’s particularly interesting here is that the vulnerabilities being targeted in the Balada campaign are already known about. Some of these vulnerabilities were acknowledged years ago, while others were only discovered recently. It is the goal of Balada Injector to remain present on the infected site long after it is deployed, even if the plugin it exploited receives an update.
In the aforementioned blog post, Sucuri listed a number of infection methods used to deploy Balada, including:
- HTML injections.
- Database injections.
- SiteURL injections.
- Arbitrary file injections.
On top of this, Balada Injector uses String.fromCharCode as an obfuscation so that it is harder for cybersecurity researchers to detect it and pick up on any patterns within the attack technique.
Hackers are infecting WordPress sites with Balada in order to redirect users to scam pages, such as fake lotteries, notification scams, and phony tech report platforms. Balada can also exfiltrate valuable information from infected site databases.
How to Avoid Balada Injector Attacks
There are some practices one can employ to avoid Balada Injector, such as:
- Regularly updating website software (including themes and plugins).
- Conducting regular cleans of software.
- Activating two-factor authentication.
- Using strong passwords.
- Limiting site administrator permissions.
- Implementing file integrity control systems.
- Keeping local development environment files separate from server files.
- Changing database passwords after any compromise.
Taking such steps can help you keep your WordPress website safe from Balada. Sucuri also has a WordPress cleanup guide that you can use to keep your site free of malware.
Balada Injector Is Still on the Loose
At the time of writing, Balada Injector is still out there and infecting websites. Until this malware is fully stopped in its tracks, it continues to pose a risk to WordPress users. While it’s shocking to hear how many sites it’s infected already, you’re fortunately not completely helpless against backdoor vulnerabilities and malware like Balada that exploits those flaws.