In September 2023, more than 17,000 WordPress websites fell victim to a malware called Balada Injector, marking a nearly twofold increase in detections compared to August.
Out of these compromised sites, approximately 9,000 were breached using a recently disclosed security vulnerability found in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1). This flaw could be exploited by unauthenticated users to execute stored cross-site scripting (XSS) attacks.
The Balada Injector group has a history of targeting vulnerabilities in tagDiv’s premium themes, with notable malware injections dating back to the summer of 2017. During this time, disclosed security vulnerabilities in WordPress themes like Newspaper and Newsmag were actively exploited.
Balada Injector is a large-scale operation, first identified by Doctor Web in December 2022. In this campaign, threat actors leverage various vulnerabilities in WordPress plugins to implant a Linux backdoor on vulnerable systems.
The primary objective of this implant is to redirect users of compromised websites to fraudulent tech support pages, deceptive lottery winnings, and push notification scams. This campaign has impacted over a million websites since 2017.
Attacks involving Balada Injector typically follow recurring activity patterns, with surges in infections frequently occurring on Tuesdays after a weekend wave of activity.
The latest breaches involve the exploitation of CVE-2023-3169 to inject a malicious script, ultimately enabling persistent access to the compromised sites through the uploading of backdoors, the addition of malicious plugins, and the creation of rogue blog administrators.
Historically, these scripts have primarily targeted logged-in WordPress site administrators, allowing adversaries to carry out malicious actions with elevated privileges via the admin interface. This includes creating new admin users for follow-up attacks.
The evolving nature of these scripts is evident in their ability to embed a backdoor in a website’s 404 error pages, capable of executing arbitrary PHP code. Alternatively, they can utilize code embedded within pages to automatically install a malicious wp-zexit plugin.
Sucuri has described this attack as “one of the most complex types” conducted by the script, as it simulates the entire process of installing a plugin from a ZIP archive file and activating it.
The primary function of the plugin is identical to the backdoor, allowing the execution of remotely sent PHP code by the threat actors.
In late September 2023, newer attack waves introduced randomized code injections to download and launch a second-stage malware from a remote server for the installation of the wp-zexit plugin. Additionally, obfuscated scripts were employed to transmit visitor cookies to an actor-controlled URL, receiving unspecified JavaScript code in return.
Rather than exploiting the tagDiv Composer vulnerability this time, the attackers utilized their backdoors and malicious admin users that had been planted after successful attacks against website administrators.