Malware, Vulnerability Management

Ongoing Balada Injector campaign has infected one million WordPress sites since 2017

UKRAINE – 2021/11/22: In this photo illustration, the WordPress (WP, WordPress.org) logo is seen on a smartphone and in the background. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

An estimated one million WordPress websites have been infected over the past six years in a long-lasting malicious campaign that researchers are calling "Balada Injector.”  

The ongoing campaign exploits "all known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor on WordPress sites, according to website security company Sucuri, which operates as a separate business unit within GoDaddy. This method allowed for various levels of access, and in many cases, the vulnerabilities exploited allowed an attacker to obtain critical information on the compromised websites. 

Since 2017, the campaign has continuously ranked in the top three of infections that Sucuri detects and cleans from affected sites. The campaign initiates fresh waves of attacks every few weeks, using newly registered domains and variations of previously-used malware. The most recent wave of attacks were observed just a few days ago when the campaign exploited a high-severity vulnerability in WordPress's Elementor Pro, a plugin used by 11 million websites. 

Denis Sinegubko, a senior malware researcher at GoDaddy, said the campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of newly-registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites, including fake tech support, fraudulent lottery wins, and push notifications scams.

The reach and scope of the malicious activity

“In 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains,” Sinegubko wrote late last week. “We currently have more than 100 signatures covering both front-end and back-end variations of the malware injected into server files and WordPress databases.” 

The actors use the period between each wave to develop new attack routines, usually by gathering and testing new vulnerabilities. Each wave uses a new, freshly registered domain name that combine random English words together, such as sometimesfree[.]biz, and destinyfernandi[.]com. 

Over just the past year, Balada Injector has used over a hundred different domain names and leveraged a wide range of attack methods, including siteurl hacks, HTML injections, database injections, and arbitrary file injections, with attacks often involving multiple infections on the same site. In an example presented by Sinegubko, Sucuri found that a page (URLScan.io.cache) was attacked 311 times by 11 distinct malicious Balada scripts. 

"The entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes undisclosed 0-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosed," Sinegubko wrote.  

"Older vulnerabilities were not immediately discarded after initial rounds of infections and some of them remained in use for a long time after the patches were released."  

Post-infection activity  

Balada's scripts aim to steal database credentials in wp-config.php files, something that could allow continued access even if the site owner patches previously exploited vulnerabilities and removes the backdoor files. To evade detection, the attackers frequently altered the list of targeted files, adding "new elements" while removing "underperforming ones."  

"If the site is not compromised yet, they[the attackers] use various tricks to obtain contents of wp-config.php. And if it's already compromised, they read it to save the credentials for future uses," Sinegubko explained.  

Additionally, the campaign attempts to gain access to arbitrary site files, including backup archives, databases, access logs, debug info, while hunting for tools like Adminer and phpMyAdmin.  

The malware eventually led to the generation of fake WordPress admin users, stealing data from underlying hosts and leaving backdoors for continued access.  

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.