Over 17,000 WordPress sites hacked in Balada Injector attacks last month

By Akash
on 06-12-2023 11:03 AM

Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.

Balada Injector is a massive operation discovered in December 2022 by Dr. Web, which has been leveraging various exploits for known WordPress plugin and theme flaws to inject a Linux backdoor.

The backdoor redirects visitors of the compromised websites to fake tech support pages, fraudulent lottery wins, and push notification scams, so it is either part of scam campaigns or a service sold to scammers.In April 2023, Sucuri reported that Balada Injector has been active since 2017 and estimated that it had compromised nearly one million WordPress sites.
The threat actors leverage the CVE-2023-3169 cross-site scripting (XSS) flaw in tagDiv Composer, a companion tool for tagDiv’s Newspaper and Newsmag themes for WordPress sites.
According to public EnvatoMarket stats, Newspaper has 137,000 sales and Newsmag over 18,500, so the attack surface is 155,500 websites, not accounting for pirated copies.The two are premium (paid) themes, often used by thriving online platforms that maintain healthy operations and garner significant traffic.

The latest campaign targeting CVE-2023-3169 started in mid-September, shortly after the disclosure of the vulnerability details and a PoC (proof-of-concept exploit) was released.These attacks align with a campaign shared with BleepingComputer in late September when admins reported on Reddit that numerous WordPress sites were infected with a malicious plugin called wp-zexit.php.
This plugin allowed the threat actors to remotely send PHP code that would be saved to the /tmp/i file and executed.

The attacks were also marked by code being injected into templates that would redirect users to scam sites under the attacker’s control.

At the time, a tagDiv representative confirmed they were aware of the flaw and told people to install the latest theme to prevent the attacks.

“We are aware of these cases. The malware can affect websites using older theme versions,” explained tagDiv.
“Besides updating the theme, the recommendation is to immediately install a security plugin such as wordfence, and scan the website. Also change all the website passwords.”
Sucuri’s report sheds new light on the campaign, warning that several thousands of sites have already been compromised.
A characteristic sign of CVE-2023-3169 exploitation is a malicious script injected within specific tags, while the obfuscated injection itself can be found in the ‘wp_options’ table of the website’s database.