Unveiling the Balada Injector: A Malware Epidemic in WordPress

Cyber Security Threat Summary:
In April 2023, credible sources such as Bleeping Computer and TechRadar began disseminating alarming accounts of cybercriminals who ingeniously breached WordPress websites. Exploiting the vulnerabilities of the widely-admired plugins, Elementor Pro Premium (webpage builder) and WooCommerce (online storefront), these malicious actors gained unauthorized access with devastating consequences.

"Cybersecurity firm Sucuri has been tracking Balada Injector activity since 2017 but has only recently given this long-running campaign its name. Primarily leveraging functions written in the Go language, 'Balada', which translates to 'Ballad' in several languages, achieves initial infection through commonly known but unpatched WordPress plugins, themes, or other software vulnerabilities. Balada then attempts to spread itself and maintain persistence by executing a series of rehearsed attacks, cross-site infections, and installation of backdoors, living up to its namesake. The Elementor Pro and WooCommerce compromise path allows authenticated users to modify WordPress configurations to create administrator accounts or inject URL redirects into website pages or posts. The malware then uses a kleptomaniacal scheme to harvest database credentials, archive files, log data, or valuable documents that aren't adequately secured, while establishing numerous Command and Control (C2) channels for persistence" (SecurityAffairs, 2023).

Security Officer Comments:
According to Sucuri, its injection activities adhere to a predictable monthly schedule, commencing on weekends and concluding around mid-week. Although Balada predominantly targets Linux-based hosts, it does not spare Microsoft-based web servers like IIS. Following the practices observed in other contemporary malware campaigns, Balada capitalizes on newly-registered domains comprising random and unrelated words. These domains entice users to click and redirect them to websites that deliver malicious payloads. These websites often masquerade as counterfeit IT support services, notifications of cash prizes, or even security verification services like CAPTCHAs. The infographic below provides an overview of Balada's initial attack vectors, the services or plugins it seeks to exploit, and some of its well-known persistence techniques. Towards the end of the article, defensive measures will be summarized, as removing Balada once it has embedded itself is notoriously challenging.

Suggested Correction(s):
Routinely audit necessary plugins, themes or software strictly necessary for web application operations. Remove all unnecessary or unused software. Conduct internal and routine penetration testing or similar assessments against web applications to identify exploitable weaknesses before Balada does. Enable File Integrity Monitoring (FIM) against critical system files. Heavily restrict access to sensitive files like wp-config, website backup data, log files or database archives and ensure strong data retention policies purge older versions of this data when no longer needed.

Disable unnecessary or insecure server services and protocols like FTP. Link(s):
https://securityaffairs.com/147460/malware/balada-injector-malware-wordpress.html