More than 17,000 WordPress websites have been affected by malware called Balada Injector in the month of September 2023, which is almost double the malware identified in August.
Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to perform stored cross-site scripting (XSS) attacks.
“This is not the first time that the Balada injector gang has targeted vulnerabilities in TagDiv’s premium themes,” said Sucuri security researcher Denis Sinegubko.
“One of the largest malware injections that we can attribute to this campaign occurred during the summer of 2017, where manifest security bugs in the Newspaper and Newsmag WordPress themes were actively abused.”
Balada Injector is a large-scale operation first discovered by Doctor Web in December 2022, in which threat actors exploit a variety of WordPress plugin flaws to deploy Linux backdoors on susceptible systems.
The main purpose of the implant is to direct users of compromised sites to fake technical support pages, fraudulent lottery winnings, and push notification scams. More than one million websites have been affected by the campaign since 2017.
The attacks linked to Balda injectors come as recurring activity waves occur every few weeks, with a surge in infections detected on Tuesday after the start of the wave over the weekend.
The latest set of breaches involves exploiting CVE-2023-3169 to inject malicious scripts and ultimately gain persistent access to sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
Historically, these scripts have targeted logged-in WordPress site administrators, as they allow the adversary to perform malicious actions with elevated privileges via the admin interface, including creating new admin users that they can use for follow-on attacks.
The rapidly evolving nature of the scripts is evidenced by their ability to plant a backdoor in the websites’ 404 error pages that are capable of executing arbitrary PHP code, or, alternatively, leverage code embedded into the pages to install a malicious wp-zexit plugin in an automated fashion.
Sucuri describes this as “one of the most complex types of attacks” performed by the script, it mimics the entire process of installing a plugin and activating it from a zip archive file.
The main functionality of the plugin is similar to that of a backdoor, which is to execute PHP code sent remotely by threat actors.
New attack waves observed in late September 2023 involve the use of random code injection to install the wp-zexit plugin to download and launch second-stage malware from a remote server.
“Their placement in files of the compromised sites clearly show that this time instead of using the tagDiv Composer vulnerability, attackers leveraged their backdoors and malicious admin users that had been planted after successful attacks against website admins,” Sinegubko explained.