WordPress is once again dealing with a plugin vulnerability which needs to be address urgently.
Introduction
In a recent wave of cyber attacks, more than 7,100 WordPress sites have fallen victim to a malware named Balada Injector. This security breach is linked to a vulnerable version of the popular Popup Builder plugin, with the campaign unfolding in periodic waves since 2017. The malware exploits a severe flaw in Popup Builder, allowing threat actors to inject backdoors into websites. The ultimate goal is to redirect visitors to deceptive tech support pages, fraudulent lottery claims, and push notification scams.
The Scale of the Operation:
Sucuri, a website security company owned by GoDaddy, discovered the latest Balada Injector activity on December 13, 2023. This revelation unveiled the extensive scope of the operation, estimating that over 1 million sites have been infiltrated since 2017. The attacks specifically target WordPress sites, taking advantage of the vulnerability in the Popup Builder plugin, which boasts more than 200,000 active installations.
Exploiting Popup Builder Vulnerability:
The security flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) was publicly disclosed by WPScan, a day prior to the detection of the latest Balada Injector activity. The vulnerability allowed attackers to perform various actions on the targeted site, mimicking the privileges of the logged-in administrator. This included the installation of arbitrary plugins and the creation of rogue administrator users. The issue was addressed in version 4.2.3 of the Popup Builder plugin.
The Malicious Payload:
The primary objective of the Balada Injector campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com. This file enables threat actors to take control of the compromised website and load additional JavaScript for executing malicious redirects. To establish persistent control, the attackers employ various techniques, including uploading backdoors, adding malicious plugins, and creating rogue blog administrators. Notably, the JavaScript injections are designed to specifically target logged-in site administrators.
Administrator Authentication Exploitation:
Sucuri researcher Denis Sinegubko highlighted a unique aspect of the Balada Injector campaign. By exploiting logged-in administrator cookies, the attackers can emulate administrative activities without the need for repeated authentication on each page. This method allows the injected script to perform virtually any action available through the WordPress admin interface. In the recent wave, if logged-in admin cookies are detected, the attackers utilize the elevated privileges to install and activate a rogue backdoor plugin named “wp-felody.php” or “Wp Felody.” This enables the retrieval of a second-stage payload from the specialcraftbox[.]com domain.
Advanced Backdoor Placement:
The second-stage payload, identified as “sasas,” is saved in the directory where temporary files are stored. Subsequently, it is executed and promptly deleted from the disk. In an attempt to broaden their control, the attackers search up to three levels above the current directory, identifying the root directory of the current site and potentially other sites sharing the same server account. Within these detected site root directories, the wp-blog-header.php file is modified to inject the same Balada JavaScript malware initially inserted via the Popup Builder vulnerability.
Conclusion:
The Balada Injector campaign poses a significant threat to WordPress sites, exploiting vulnerabilities in the widely-used Popup Builder plugin. Website administrators are strongly advised to update their plugins to the latest versions promptly to mitigate the risk of falling victim to this persistent and sophisticated cyber threat. Additionally, implementing robust security measures, regularly monitoring for unauthorized activities, and educating users about phishing attempts can contribute to safeguarding WordPress sites against such malicious campaigns.
Pingback: Unveiling Opera's MyFlaw Bug: A Deep Dive into a Critical Browser Vulnerability -