Go to listing page

Balada Injector Infected Over a Million Sites in Last Five years

Balada Injector Infected Over a Million Sites in Last Five years
A massive WordPress infection campaign, ongoing since 2017, has been chalked out and given a formal name Balada Injector. Several security firms have been independently tracking parts of the campaign via specific domain names or individual malvertising drives. However, a recent study covers all those attacks under a single massive umbrella campaign that leverages all known vulnerabilities in WordPress themes and plugins.

Balada Injector's mayhem

According to Sucuri, the campaign has infected over one million WordPress websites over a duration of around five years.
  • Each year, these attacks have ranked among the top three website infections. Last year Balada Injector was detected over 141,000 times.
  • The attacks have been observed at a frequency of one wave per month, leveraging custom attack routines around newly disclosed vulnerabilities.
  • The most recent wave of the Balada Injector attack observed a few days ago, targeted the Elementor Pro plugin for WordPress, affecting over 11 million websites.

Attack methods

The common characteristics of this campaign include the use of freshly registered domains to host malicious scripts. The campaign, further, attempts to redirect victims to scam sites via fraudulent lottery wins, fake tech support, and push notification scams.
  • These attacks commonly use multiple injection methods (sometimes within a single attack) such as HTML injections, arbitrary file injections, database injections, flawed reinfections, and siteurl hacks.
  • The attacks often include multiple infections on the same site. In one specific case, a site was attacked 311 times, using 11 different variants of Balada.

Post-infection activities

  • The malware scans for misconfigured or vulnerable instances of database administration tools such as phpMyAdmin and Adminer. 
  • When found, they are used to create new admin users, deploy persistent malware (backdoors), and extract additional data from the sites.
  • It, moreover, attempts to brute-force the WordPress sites, using the set of 74 credentials as admin passwords.

Balada Injector attacks exfiltrate information, including configuration files, database credentials, access logs, backup archives, and other sensitive data. Moreover, it refreshes the list of targeted files frequently.

Ending notes

The Balada Injector campaign leverages multiple attack methods, such as exploiting vulnerabilities, brute-forcing weak credentials, and multiple injections. Protection against such attacks requires a comprehensive approach toward security and cyber hygiene. Experts suggest implementing strong password policies, a robust patch management system, and regular audits of the exposed domains and infrastructure to stitch any loopholes in the system.
Cyware Publisher

Publisher

Cyware