Greater than 17,000 WordPress web sites have been compromised within the month of September 2023 with malware generally known as Balada Injector, almost twice the variety of detections in August.
Of those, 9,000 of the web sites are mentioned to have been infiltrated utilizing a lately disclosed safety flaw within the tagDiv Composer plugin (CVE-2023-3169, CVSS rating: 6.1) that might be exploited by unauthenticated customers to carry out saved cross-site scripting (XSS) assaults.
“This isn’t the primary time that the Balada Injector gang has focused vulnerabilities in tagDiv’s premium themes,” Sucuri safety researcher Denis Sinegubko mentioned.
“One of many earliest large malware injections that we might attribute to this marketing campaign befell throughout the summer time of 2017, the place disclosed safety bugs in Newspaper and Newsmag WordPress themes had been actively abused.”
Balada Injector is a large-scale operation first found by Physician Internet in December 2022, whereby the risk actors exploit a wide range of WordPress plugin flaws to deploy a Linux backdoor on prone methods.
The fundamental goal of the implant is to direct customers of the compromised websites to bogus tech assist pages, fraudulent lottery wins, and push notification scams. Greater than 1,000,000 web sites have been impacted by the marketing campaign since 2017.
Assaults involving Balada Injector play out within the type of recurring exercise waves that happen each couple of weeks, with a surge in infections detected on Tuesdays following the beginning of a wave throughout the weekend.
The most recent set of breaches entails the exploitation of CVE-2023-3169 to inject a malicious script and in the end set up persistent entry over the websites by importing backdoors, including malicious plugins, and creating rogue weblog directors.
Traditionally, these scripts have focused logged-in WordPress web site directors, as they permit the adversary to carry out malicious actions with elevated privileges by way of the admin interface, together with creating new admin customers that they’ll use for follow-on assaults.
The quickly evolving nature of the scripts is evidenced by their potential to plant a backdoor within the web sites’ 404 error pages which can be able to executing arbitrary PHP code, or, alternatively, leverage code embedded into the pages to put in a malicious wp-zexit plugin in an automatic trend.
Sucuri described it as “one of the crucial advanced kinds of assaults” carried out by the script, given it mimics all the course of of putting in a plugin from a ZIP archive file and activating it.
The core performance of the plugin is identical because the backdoor, which is to execute PHP code despatched remotely by the risk actors.
Newer assault waves noticed in late September 2023 entail using randomized code injections to obtain and launch a second-stage malware from a distant server to put in the wp-zexit plugin.
Additionally used are obfuscated scripts that transmit the customer’s cookies to an actor-controlled URL and fetch in return an unspecified JavaScript code.
“Their placement in information of the compromised websites clearly present that this time as an alternative of utilizing the tagDiv Composer vulnerability, attackers leveraged their backdoors and malicious admin customers that had been planted after profitable assaults towards web site admins,” Sinegubko defined.
