Over 1 Million WordPress Sites Infected by Ballad Injector Malware Campaign
More than one million WordPress websites are estimated to have been infected by the ongoing campaign to spread malware called ballad injector since 2017.
A massive campaign, per GoDaddy’s Sucuri, “exploited all known and recently discovered theme and plugin vulnerabilities” to infiltrate WordPress sites. The attacks are known to occur in waves every few weeks.
“This campaign is easily recognized by its preferences String. fromCharCode confusion, use of newly registered domain names hosting malicious scripts on random subdomains, and by redirecting to various scam sites,” security researcher Denis Sinegubko said.
Website included fake tech supportfraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on the ‘Please Allow to verify, that you are not a robot,’ notification, thereby allowing perpetrators to send spam ads.
The report builds on recent findings from Doctor Web, detailing a Linux malware family that exploited weaknesses in more than two dozen plugins and themes to compromise vulnerable WordPress sites.
In the interim years, Ballad Injector has relied on more than 100 domains and many methods to take advantage of known security flaws (for example, HTML injection and url address), with the attacker mainly trying to get hold of the database credentials in the wp-config.php file.
Additionally, attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools such as adminer and phpmyadmin that site administrators may have abandoned after completing maintenance tasks.
The malware ultimately enables the creation of fake WordPress admin users, harvests data stored on the underlying host, and leaves backdoors for persistent access.
Ballad Injector then performed an extensive search of top-level directories associated with the compromised website’s file system to find writable directories belonging to other sites.
“Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions,” said Sinegubko. “This way, compromising just one site could potentially give access to several other sites ‘for free.'”
If this attack path turns out to be unavailable, the admin password is brute-forced using 74 predefined credentials. Therefore, WordPress users are advised to keep their website software up-to-date, remove unused plugins and themes, and use a strong WordPress admin password.
Learn to Secure Identity Perimeter – A Proven Strategy
Improve your business security with our upcoming cybersecurity webinar led by our experts: Explore the Identity Perimeter strategy!
The activity, which also uses String.fromCharCode as an impersonation technique, redirects victims to trap pages that trick them into enabling push notifications by masquerading as fake CAPTCHA checks to serve deceptive content.
“Injected malicious JS code was included on the homepage of more than half of detected websites,” Unit 42 researchers said. “One common tactic used by campaign operators is to inject malicious JS code in the names of frequently used JS files (e.g., jQuery) that may be included on compromised website homepages.”
“This could potentially help attackers target legitimate users of websites, as they are more likely to visit the website homepage.”