Balada Injector Exploits Popup Plugin Vulnerability over 7,100 WordPress Sites

In a sweeping cyber onslaught, over 7,100 WordPress sites have fallen victim to the Balada Injector malware, exploiting a critical vulnerability in the widely used Popup Builder plugin. The campaign, initially documented in January 2023, employs periodic attack waves targeting WordPress plugins’ security flaws. This results in the injection of a backdoor designed to redirect visitors to deceptive tech support pages, fraudulent lottery win schemes, and push notification scams.

The scale of this operation, which has reportedly been active since 2017, has now been unveiled, with the campaign infiltrating no fewer than 1 million sites over the years. Website security experts, who detected the latest Balada Injector activity on December 13, 2023, have identified compromised sites exceeding the alarming number of 7,100.

Exploiting a high-severity vulnerability in the Popup Builder plugin (CVE-2023-6000, CVSS score: 8.8), with over 200,000 active installations, the attackers leverage a flaw publicly disclosed by WPScan. This flaw, addressed in Popup Builder version 4.2.3, allows attackers, when successfully exploited, to execute actions permitted to the targeted site’s logged-in administrator. This includes installing arbitrary plugins and creating rogue administrator users.

The overarching objective of the Balada Injector campaign is to implant a malevolent JavaScript file hosted on specialcraftbox[.]com. This file enables the threat actors to seize control of the infected websites, loading additional JavaScript to facilitate malicious redirects. To maintain persistent control, the attackers resort to uploading backdoors, incorporating malicious plugins, and establishing rogue blog administrators.

The researcher emphasized the attackers’ modus operandi, particularly their utilization of JavaScript injections to target logged-in site administrators. When a blog administrator logs in, their browser contains cookies that grant access to administrative tasks without repeated authentication. Exploiting this, the attackers weaponize elevated privileges to install a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) when logged-in admin cookies are detected. This facilitates the retrieval of a second-stage payload from the specified domain.

The payload, identified as another backdoor, is stored under the name “sasas” in the temporary files directory, executed, and subsequently deleted from disk. Sinegubko explained that the malware scrutinizes directories up to three levels above the current one, seeking the root directory of the affected site and other potential sites sharing the same server account. In these identified site root directories, the malware manipulates the wp-blog-header.php file to inject the Balada JavaScript malware, replicating the initial injection via the Popup Builder vulnerability.

Guarding against the Balada Injector’s infiltration of WordPress sites requires prompt action. Site administrators should ensure that all plugins, especially those like Popup Builder, are up to date. Regular security audits and vulnerability assessments can identify potential weaknesses. Employing reputable security plugins, restricting access to critical site areas, and monitoring for unusual activities are crucial preventive measures.