January 11, 2024 at 12:55PM
The Balada Injector malware has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin. The attacks inject a backdoor that redirects visitors to fake support pages, lottery sites, and push notification scams. Defending against these attacks includes updating themes and plugins and minimizing the number of active plugins on WordPress sites.
Key points from the meeting notes:
1. Over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware.
2. The latest campaign launched on December 13, 2023, leveraging a cross-site scripting (XSS) flaw in Popup Builder versions 4.2.3 and older, affecting 200,000 sites.
3. The attackers injected backdoors, redirected visitors to fake support pages, lottery sites, and push notification scams, and modified the wp-blog-header.php file to inject JavaScript backdoors.
4. The ‘felody’ backdoor’s functionality includes arbitrary PHP code execution, uploading and executing files, communication with the attackers, and fetching additional payloads.
5. The attackers have made efforts to mask the true origin of the attacks, including using Cloudflare firewalls.
6. Security researcher Randy McEoin noted that the redirections in this campaign point to push notification scams.
To defend against Balada Injection attacks, WordPress site admins should update themes and plugins to their latest version, uninstall products that are no longer supported or needed, and keep the number of active plugins on a site as small as possible to reduce the attack surface.