HQ/EMEAFind out how we can help your business
The new Balada injector campaign exploits a vulnerability in the unpatched tagDiv WordPress premium theme plugin.
Based on reports, this new cybercriminal operation targets websites that use the Newspaper and Newsmag themes. The specific vulnerability that the campaign exploits is an unauthenticated XSS vulnerability within the plugin that became public last month.
Over 135,000 individuals have employed this plugin, highlighting that a successful attack could pose significant risks to numerous users.
The Balada injector operators use several methods to bypass detection.
According to investigations, the Balada injector operators use various tactics to evade detection while luring users into visiting deceptive websites. The initial attack sequence includes injecting two Balada injector variants into publicly accessible WordPress pages.
Researchers discovered the first variant on over 4,000 sites while the second on 1,000 websites. In the following attacks, the malicious actors established malicious admin usernames and email addresses on the targeted sites so they could initiate infections or generate backdoors.
The third method involves implanting the malware injector into the 404.php file of the Newspaper theme. Last month, the fourth wave of attacks started using a malicious wp-zexit plugin installation that impersonated the original installation page.
In the fifth wave on September 21, the attackers moved the injection point to the std_live_0101c0ss_local_storage option within the WordPress database. The threat actors can register three new domains inside the database in under seven seconds.
The sixth wave, which started at the end of last month, involved various scripts that loaded malware from subdomains linked to the promsmotion[.]com.
However, this is not the first time malware operators have abused this plugin to target websites. In the past, the malware injector was part of a large-scale cybercriminal campaign that compromised more than one million WordPress websites over approximately five years.
These infected WordPress site subdomains have malicious scripts that redirect visitors to scam sites, such as fake tech support, fraudulent lottery winnings, and push notification scams.
Concerned researchers have published a list of malicious domains and IP addresses to help organisations identify and mitigate these threats. Therefore, users and firms should update the plugin to its latest version (4.2) and use website scanners to prevent infection. Lastly, organisations should also consider removing unnecessary admin users and redundant plugins from their websites to enhance security.
