Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with malware called Balada Injector.
First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.
Subsequent findings by Sucuri have revealed the large scale of the operation, which is said to have been active since 2017 and has infiltrated at least 1 million sites since then.
The GoDaddy-owned website security company, which detected the latest Balada injector activity on December 13, 2023, said it has identified the injection on more than 7,100 sites.
These attacks exploit a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with over 200,000 active installs – that was publicly disclosed by WPScan a day earlier. The issue was resolved in version 4.2.3.
“When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users,” WPScan researcher Marc Montpas said.
The ultimate goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com and use it to take control of the website and load additional JavaScript to facilitate malicious redirects.
Additionally, the threat actors behind Balada Injector are known to continually exert control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
This is often accomplished using JavaScript injection to specifically target logged-in site administrators.
“The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page,” Sucuri researcher Denis Sinegubko noted last year.
“So, if their browser loads a script that attempts to simulate admin activity, it will be able to do almost anything that can be done through the WordPress admin interface.”
The new wave is no exception in that if logged-in admin cookies are detected, it weaponizes the elevated privileges to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) so as to fetch a second – stage payload from the aforementioned domain.
The payload, another backdoor, is saved under the name “sasas” in the directory where temporary files are stored, and then it is executed and removed from disk.
“It probes up three levels up from the current directory, looking for the root directory of the current site and any other sites that share the same server account,” Sinegubko said.
“Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected through the Popup Builder vulnerability.”
