Long-Lasting Balada Injector Campaign Hits WordPress Websites, Researcher Reveals

A sweeping, long-lasting malicious campaign dubbed "Balada Injector" has compromised an estimated 1 million WordPress websites since its inception in 2017.

The campaign leverages "all known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor that lets attackers gain unauthorized access to affected websites. The campaign’s primary objective appears to be redirecting users to fraudulent tech support pages, fake lottery wins, and push notification scams.

According to website security company Sucuri, perpetrators exploit known vulnerabilities in several WordPress themes and plugins to plant the backdoor, effectively bypassing security and taking control of targeted websites.

Once inside, Balada’s scripts try to steal critical information from compromised websites, including credentials, access logs, backup archives, databases and debug info. To avoid suspicion,  frequently alter the list of targeted files, continually adding “new elements” and removing “underperforming ones.”

WordPress, a well-established website builder and content management system (CMS), powers over 40% of the world’s websites. Unfortunately, its popularity, extensive user base, and vast number of themes and plugins often turn it into a handy target for cybercriminals.

The recently discovered campaign emphasizes the need for reinforced security and habits that promote safety, such as regular updates, user education and threat recognition to minimize the risk of future attacks.

Researchers shared indicators of compromise (IoCs) and guidance on identifying and removing the Balada Injector backdoor. However, users who think their websites might have fallen prey to the malicious campaign should contact security professionals for assistance.

As Balada Injector continues to exploit WordPress theme and plugin vulnerabilities, website owners and administrators are advised to remain vigilant and take precautions to protect their assets. Keeping informed and adopting a proactive approach to website security can help users minimize the potential impact of current and future cyberattacks.