Cybersecurity experts from Sucuri have reported a dramatic increase in websites compromised by the notorious “Balada Injector” malware. In September 2023, over 17,000 WordPress sites fell victim to the malware, a figure twice as large as the previous month. The malware, active since 2017, employs diverse attack vectors and persistence mechanisms, with its discovery attributed to AV firm Doctor Web in 2022.
Rapid Evolution and Premium Theme Vulnerabilities
Sucuri's findings detail the rapid evolution of malicious scripts alongside new techniques and approaches that indicate the strategic sophistication of the attackers. Following an examination of the data, several characteristics like randomized injections, simultaneous utilization of multiple domains and subdomains, and the abuse of CloudFlare were observed.
The largest portion of the attacks have been directed towards users of tagDiv's premium WordPress themes, taking advantage of the Newspaper theme vulnerability. Over 9,000 websites infected with the Balada Injector were using the Newspaper theme, marking a clear point of weakness. They have exploited a cross-site scripting vulnerability, CVE-2023-3169, in the tagDiv Composer plugin to their advantage.
Typically, “the obfuscated injection itself can be found in the ‘td_live_css_local_storage' option in the wp_options table of the WordPress database,” Sucuri researchers explain.
Further Attack Waves and Mitigation Measures
Several subsequent attack waves have been identified, with one of the more sinister approaches being the creation of rogue WordPress administrator accounts. Initially using the username ‘greeceman', the attackers later transitioned to auto-generated usernames based on the site's hostname.
Furthermore, an analysis of the attack methods reveals backdoors planted in the Newspaper theme's 404.php file and the installation of the wp-zexit plugin hidden in the website's Ajax interface.
These newly revealed Balada Injector attack methodologies highlight the essential nature of keeping WordPress components, such as themes and plugins, updated. Sucuri also recommends administrators upgrade the tagDiv Composer plugin to version 4.2 or later to address the known vulnerability. Routine scanning of files for hidden backdoors and removal of dormant user accounts can prevent further compromises.