Massive Balada Injector Campaign Compromises Over 17,000 Websites

Notorious Balada Injector campaign has been linked to the compromise of over 17,000 WordPress websites. Balada Injector, discovered in 2022 but believed to have been operational since 2017, weaponizes vulnerabilities in premium WordPress themes and plugins to implant malicious backdoors.

Upon infiltration, these backdoors divert website visitors to counterfeit tech support pages, fake lottery wins, push notification hoaxes and other scams.

With such a range of deceptive tactics, experts postulate that Balada Injector is either a service peddled to other threat actors or a direct component of a scam initiative.

The recent wave of attacks is attributed to the exploitation of the CVE-2023-3169 cross-site scripting (XSS) vulnerability in the tagDiv Composer plugin. With the Newspaper and Newsmag WordPress themes, both premium offerings, this plugin is found on an estimated 155,000 websites, setting a vast stage for potential attacks.

Following the vulnerability's public disclosure and the release of a proof-of-concept, this campaign took off in September.

Website security firm Sucuri revealed the extent of the compromise in a recent report, highlighting specific indicators of the attack, such as a malicious script present within distinct tags.

Sucuri identified six distinct attack waves:

1. Malicious script injections from stay.decentralappps[.]com, compromising over 5,000 websites.
2. Creation of rogue WordPress administrator accounts, initially with the username "greeceman" but later switching to auto-generated ones based on website hostnames.
3. Silently achieving persistence by tampering with the Newspaper theme's 404.php file via WordPress' theme editor.
4. Deployment of a deceptive wp-zexit plugin that mimics legitimate WordPress administrator actions.
5. Introduction of three new malicious domains with increased obfuscation, complicating detection efforts.
6. Switching to promsmotion[.]com subdomains instead of the previous domain, with three unique injection methods spotted on a combined 235 websites.

Over 9,000 of the 17,000 compromised sites were breached through the CVE-2023-3169 vulnerability, showcasing the attackers' extreme effectiveness and ability to adapt swiftly for maximum impact.

For webmasters and site owners, the best line of defense is to promptly update the tagDiv Composer plugin to version 4.2 or later, which addresses the known flaw. Regular updates to themes, plugins and all website components remain crucial in safeguarding against such formidable threats.