More than 17,000 WordPress websites have been compromised in the month of September 2023 with malware known as Balada Injector, nearly twice the number of detections in August.
Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to perform stored cross-site scripting (XSS) attacks.
“This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv’s premium themes,” Sucuri security researcher Denis Sinegubko said.
“One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused.”
Balada Injector is a large-scale operation first discovered by Doctor Web in December 2022, wherein the threat actors exploit a variety of WordPress plugin flaws to deploy a Linux backdoor on susceptible systems.
The main purpose of the implant is to direct users of the compromised sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. More than a million websites have been impacted by the campaign since 2017.
Attacks involving Balada Injector play out in the form of recurring activity waves that occur every couple of weeks, with a surge in infections detected on Tuesdays following the start of a wave during the weekend.
The latest set of breaches entails the exploitation of CVE-2023-3169 to inject a malicious script and ultimately establish persistent access over the sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.
Historically, these scripts have targeted logged-in WordPress site administrators, as they allow the adversary to perform malicious actions with elevated privileges via the admin interface, including creating new admin users that they can use for follow-on attacks.
The rapidly evolving nature of the scripts is evidenced by their ability to plant a backdoor in the websites’ 404 error pages that are capable of executing arbitrary PHP code, or, alternatively, leverage code embedded into the pages to install a malicious wp-zexit plugin in an automated fashion.
Sucuri described it as “one of the most complex types of attacks” performed by the script, given it mimics the entire process of installing a plugin from a ZIP archive file and activating it.
The core functionality of the plugin is the same as the backdoor, which is to execute PHP code sent remotely by the threat actors.
Newer attack waves observed in late September 2023 entail the use of randomized code injections to download and launch a second-stage malware from a remote server to install the wp-zexit plugin.
“Their placement in files of the compromised sites clearly show that this time instead of using the tagDiv Composer vulnerability, attackers leveraged their backdoors and malicious admin users that had been planted after successful attacks against website admins,” Sinegubko explained.