HomeWinBuzzer NewsSignificant Surge in Balada Injector Malware Attacks Targets over 17,000 WordPress Websites

Significant Surge in Balada Injector Malware Attacks Targets over 17,000 WordPress Websites

Sucuri's data analysis of malware attacks reveal randomized injections, use of multiple domains and subdomains, and CloudFlare exploitation.


experts from Sucuri have reported a dramatic increase in websites compromised by the notorious “Balada Injector” malware. In September 2023, over 17,000 WordPress sites fell victim to the malware, a figure twice as large as the previous month. The malware, active since 2017, employs diverse attack vectors and persistence mechanisms, with its discovery attributed to AV firm Doctor Web in 2022.

Rapid Evolution and Premium Theme Vulnerabilities

Sucuri's findings detail the rapid evolution of malicious scripts alongside new techniques and approaches that indicate the strategic sophistication of the attackers. Following an examination of the data, several characteristics like randomized injections, simultaneous utilization of multiple domains and subdomains, and the abuse of CloudFlare were observed.

The largest portion of the attacks have been directed towards users of tagDiv's premium WordPress themes, taking advantage of the Newspaper theme vulnerability. Over 9,000 websites infected with the Balada Injector were using the Newspaper theme, marking a clear point of weakness. They have exploited a cross-site scripting vulnerability, CVE-2023-3169, in the tagDiv Composer plugin to their advantage.

Typically, “the obfuscated injection itself can be found in the ‘td_live_css_local_storage' option in the wp_options table of the WordPress database,” Sucuri researchers explain.

Further Attack Waves and Mitigation Measures

Several subsequent attack waves have been identified, with one of the more sinister approaches being the creation of rogue WordPress administrator accounts. Initially using the username ‘greeceman', the attackers later transitioned to auto-generated usernames based on the site's hostname.

Furthermore, an analysis of the attack methods reveals backdoors planted in the Newspaper theme's 404.php file and the installation of the wp-zexit plugin hidden in the website's Ajax interface.

These newly revealed Balada Injector attack methodologies highlight the essential nature of keeping WordPress components, such as themes and plugins, updated. Sucuri also recommends administrators upgrade the tagDiv Composer plugin to version 4.2 or later to address the known vulnerability. Routine scanning of files for hidden backdoors and removal of dormant user accounts can prevent further compromises.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News