January 15, 2024 at 11:44AM
Thousands of WordPress sites are affected by the Balada Injector malware, exploiting a vulnerability in the Popup Builder plugin. The campaign, active since 2017, aims to redirect visitors to fraudulent pages and push notification scams. The attackers establish persistent control by adding backdoors and malicious plugins. The issue was addressed in version 4.2.3 of the plugin.
The meeting notes highlight a widespread security vulnerability affecting WordPress sites using the Popup Builder plugin. The vulnerability, known as Balada Injector, has been exploited in a campaign since 2017 and has infiltrated over 1 million sites. The attacks target the high-severity flaw in Popup Builder (CVE-2023-6000) and aim to insert a malicious JavaScript file, leading to redirects and control of the website. The threat actors also establish persistent control by adding backdoors and malicious plugins, specifically targeting logged-in site administrators. The meeting notes provide crucial details about the campaign’s tactics and the impact on compromised sites.