According to information security experts, about a million WordPress sites have been compromised as a result of the Balada Injector malware campaign, which has been going on since 2017.
Attackers use “all known and newly discovered vulnerabilities in themes and plugins” to inject Linux backdoors into websites.
Let me remind you that we also talked about Vulnerability in WordPress Tatsu Builder Plugin Is under Attack, and also that 10,800 WordPress Sites Were Infected with a Backdoor.
Information security specialists also reported that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.
Sucuri analysts say that Balada Injector attacks come in waves, about once a month, and each of them uses a newly registered domain name to bypass blacklists.
In its attacks, the malware mainly uses newly discovered vulnerabilities, and Balada Injector operators create custom attack procedures, building them around a specific problem. For example, researchers observed siteurl attacks, HTML injections, database injections, and arbitrary file injections.
List of attacked plugins
Different attack vectors often lead to re-infection of previously hacked sites. Sucuri describes a case where a site was attacked by 311 attacks using 11 different versions of Balada Injector.
Typical Balada Injector
After a successful attack, the malware scripts focus on stealing sensitive information, including database credentials and wp-config.php files. Therefore, even if the site owner eliminates the consequences of the attack and patches vulnerable plugins, hackers retain access to the resource.
The malware also searches the infected site for backups and databases, access logs, debugging information, and files that may contain confidential information. The attacker frequently updates the lists of such target files.
In addition, the malware is interested in database administration tools, including Adminer and phpMyAdmin. If they are vulnerable or misconfigured, they can be used to create new admin users, extract information, or inject persistent malware into the resource’s database.
If the listed simple ways of hacking are not available, malware operators resort to brute force the administrator password, trying a set of 74 credentials.
Balada Injector places several backdoors on compromised sites that act as hidden access points for hackers.
According to the researchers, at some point in 2020, the malware distributed backdoors using 176 pre-defined paths, which made it extremely difficult to eliminate the infection. Moreover, the names of installed backdoors changed with each new wave to make it even more difficult to detect and clean up affected sites.
The researchers say that Balada injectors are not present on every hacked site, as it is not easy to manage such a large number of clients. They believe that hackers upload malware to sites “hosted on private or virtual private servers that are not managed properly or appear to be running.”
The injectors then look for sites associated with the same account on a server with the same file permissions, find writable directories starting with the most highly privileged, and perform cross-site infection. This approach makes it easy to compromise several sites at once and quickly distribute backdoors with a minimum number of injections.
In addition, cross-site infection allows attackers to repeatedly infect already “cleaned” sites, while they still have access to the VPS.
Sucuri notes that defense against Balada Injector attacks may vary on a case-by-case basis, and due to the variety of attack vectors, there is no single set of instructions administrators can follow to protect themselves.
