
It's estimated that over one million WordPress websites have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks. "This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites," security researcher Denis Sinegubko said. The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to 'Please Allow to verify, that you are not a robot,' thereby enabling the actors to send spam ads. The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites. In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file. WordPress is the most popular content management system in the world, powering over 30% of all websites. Due to its popularity, WordPress websites are often targeted by hackers and malicious actors. In this blog post, we'll be discussing the Balada Injector malware campaign, which has been infecting WordPress websites since 2017. The Balada Injector malware campaign is a mass infection campaign that has been exploitings known vulnerabilities in WordPress themes and plugins to infect websites. The campaign is easily identified by its use of String.fromCharCode obfuscation, fresh domain names, and redirects to various scam websites. These scam websites include fake tech support pages, fraudulent lottery win pages, and rogue CAPTCHA pages that enable the attackers to send spam ads. The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites. In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file. If you have a WordPress website, it's important to keep your themes and plugins up-to-date to avoid being infected by malware like Balada Injector. You should also install a security plugin like Sucuri to help protect your website from malware and other security threats.