Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability

January 15, 2024

The Balada Injector malware has infected more than 7,100 WordPress sites by exploiting a vulnerability in a plugin called Popup Builder. This was first noted by Doctor Web in January 2023 and has been occurring in periodic attack waves. The malware uses these security flaws in WordPress plugins to inject a backdoor that redirects visitors of compromised sites to fake tech support pages, fraudulent lottery wins, and push notification scams.

Sucuri, a website security company owned by GoDaddy, detected the latest Balada Injector activity on December 13, 2023. The company revealed that the operation has been ongoing since 2017 and has infiltrated no less than 1 million sites since its inception. The malware exploits a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8), which has over 200,000 active installs. This vulnerability was publicly disclosed by WPScan.

WPScan researcher Marc Montpas stated, "When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users." The campaign's ultimate objective is to insert a malicious JavaScript file hosted on specialcraftbox[.]com, gain control over the website, and load additional JavaScript to facilitate malicious redirects.

The threat actors behind Balada Injector maintain persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators. This is often achieved by using the JavaScript injections to specifically target logged-in site administrators. Sucuri researcher Denis Sinegubko explained last year, "The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page."

If logged-in admin cookies are detected, the malware uses the elevated privileges to install and activate a rogue backdoor plugin ("wp-felody.php" or "Wp Felody") to fetch a second-stage payload from the aforementioned domain. This payload, another backdoor named "sasas", is saved to the directory where temporary files are stored, and then executed and deleted from disk. It modifies the wp-blog-header.php file in the detected site root directories to inject the same Balada JavaScript malware that was initially injected via the Popup Builder vulnerability.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.