Unveiling the Balada injector: a malware epidemic in WordPress


Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion.

A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions.

In April 2023, Bleeping Computer and other tech outlets like TechRadar began circulating reports of cybercriminals successfully hacking WordPress websites. They were able to gain access via a toxic combination of the popular plugins Elementor Pro Premium (Webpage builder) and WooCommerce (Online storefront).

Initially attributed to security researcher Jerome Braundet of the Ninja Tech Network, this recently disclosed vulnerability produces a base 8.8 CVSS score (High), giving WordPress administrators and cybersecurity teams much to fret over.

As of May 2023, an official CVE designation is still pending. Websites running Elementor Pro 3.11.6 or earlier, alongside an activated WooCommerce plugin, are advised to upgrade ElementorPro to at least 3.11.7 or face the risk of authenticated users (think of standard e-commerce customers) achieving total control of websites by exploiting Broken Access Control — the most severe of OWASP’s Top 10 risks.

While reports of this vulnerability have circulated wildly across the interwebs, a lesser-known but directly related set of ‘hack-tivities’ has been occurring on a similar front against these and other standard WordPress plugins.

This article will focus on the widespread and highly persistent malware injector campaign “Balada,” which has reportedly infected over 1 million individual websites by exploiting weaknesses in Elementor Pro, WooCommerce, and several other WordPress plugins. This article will provide a brief history of the Balada Injector, its common objectives, common Indicators of Compromise (IoC), and a quick exploitation overview, including some general tips that organizations should adopt to avoid being the next victim.

What is Balada?

Cybersecurity firm Sucuri has been tracking Balada Injector activity since 2017 but has only recently given this long-running campaign its name. Primarily leveraging functions written in the Go language, ‘Balada’, which translates to ‘Ballad’ in several languages, achieves initial infection through commonly known but unpatched WordPress plugins, themes, or other software vulnerabilities.

Balada then attempts to spread itself and maintain persistence by executing a series of rehearsed attacks, cross-site infections, and installation of backdoors, living up to its namesake. The Elementor Pro and WooCommerce compromise path allows authenticated users to modify WordPress configurations to create administrator accounts or inject URL redirects into website pages or posts. The malware then uses a kleptomaniacal scheme to harvest database credentials, archive files, log data, or valuable documents that aren’t adequately secured, while establishing numerous Command and Control (C2) channels for persistence.

Balada is not an overly shy malware campaign. Sucuri notes that injection activities follow a defined monthly schedule that generally starts on the weekend and ends around mid-week on a predictable cycle.

Balada favors exploiting Linux-based hosts, but Microsoft-based web servers like IIS are not immune. Adhering to practices seen in other contemporary malware campaigns, Balada leverages newly-registered domains consisting of random, unrelated words to entice clicks and user redirection to websites that deliver malicious payloads.

These websites will often take the guise of fake IT Support services, cash prize notifications, or even security verification services like CAPTCHAs. The below infographic summarizes the initial attack vectors that Balada will seek to exploit, services or plugins it attempts to abuse, and some of its more recognized persistence vectors. Defensive measures will be summarized towards the end of the article, as Balada is notoriously difficult to remove once it has embedded itself.

Basic Balada Injector workflow
Basic Balada Injector workflow and capabilities against a WordPress CMS.

Identifying Balada injections

Sucuri’s research further established that Balada’s primary malware routine is typically located in the following path on compromised victim devices “C:/Users/host/Desktop/balada/client/main.go”. A semi-maintained Virus Total collection highlights common file hashes, URLs, and other indicators associated with Balada-delivered malware and its infections.

Balada also leverages a dated but recurring User-Agent “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36” which has been observed by Sucuri repeatedly in compromised machine logs starting in late 2020 and well into the current period. Balada activity has been associated with well over 100 unique domains since 2017. Balada leverages a “main.ex_domains function to store and reuse domains for future attacks as successful infection or compromise occurs in monthly campaigns.

The below table highlights a small portion of the common domains observed in recently analyzed injector campaigns. Sucrui was contacted for comment in May 2023 to determine if an APT group was attributed to these attacks, with no formal response issued.

cdn.statisticline[.]com/scripts/sway.jsactraffic[.]comimportraffic[.]com
collectfasttracks[.]comfollowmyfirstone[.]comdigestcolect[.]com
primarylocationgo[.]comstarttrafficc[.]combuyittraffic[.]com
cutttraffic[.]comdexterfortune[.]comjockersunface[.]com
destinyfernandi[.]comrequestfor4[.]combalanceforsun[.]com

Exploitation walkthrough

The following section will highlight a high-level walkthrough demonstrating how a WordPress installation that leverages the vulnerable versions of Elementor Pro and WooCommerce can be exploited. The demonstration can be recreated on a Kali Linux VM, with a Bitnami WordPress Docker container running inside of Kali. It is not advised that readers attempt to recreate these conditions, attempt to download and use known vulnerable software in any capacity, or attempt these exploitation techniques against systems not owned by the reader. Proceed at your own risk!

The various elements and functions within Elementor Pro
The various elements and functions within Elementor Pro, that facilitate website compromise when using version 3.11.6 or earlier.

Unauthenticated users can leverage the vulnerability by simply registering for a WooCommerce user account then querying the backend AJAX action as such:

“http(s)://vulnerablesite[.]com/wp-admin/?wc-ajax=1”.

After updating values such as “siteurl,” SQL queries can be generated to determine the destination specified and whether autoload is enabled. Certain web application firewalls (WAF) will purportedly provide adequate protections against exploitation but an upgrade from Elementor is suggested immediately if version 3.11.6 is in use.

Defensive control considerations

So far, the article has covered how Balada seeks to achieve an initial compromise, the specific types of files and information it deems proper, and some common infection techniques. Organizations can consider some of the guidance below to help them prevent Balada infection or determine when infections may occur.

Some advice is self-evident, like ensuring web server hosts, website plugins, themes, or related software remain current and up to date. Some are less obvious, such as ensuring sound DNS security through solutions like Cisco Umbrella or DNSFilter. These capabilities exist to provide network-level or roaming client solutions that identify, then block redirection attempts and DNS requests to known malicious sites. Organizations should also enforce a strong password policy (complexity, 16+ characters, etc.), privileged users must satisfy multifactor authentication or other conditional access policies, and creating privileged accounts should generate alerts to appropriate teams. Organizations should also strongly consider implementing or routinely assessing the following:

  • Routinely audit necessary plugins, themes or software strictly necessary for web application operations. Remove all unnecessary or unused software.
  • Conduct internal and routine penetration testing or similar assessments against web applications to identify exploitable weaknesses before Balada does.
  • Enable File Integrity Monitoring (FIM) against critical system files.
  • Heavily restrict access to sensitive files like wp-config, website backup data, log files or database archives and ensure strong data retention policies purge older versions of this data when no longer needed.
  • Disable unnecessary or insecure server services and protocols like FTP.
  • Subscribe to security alerts via US CISA, MS-ISAC or other reputable threat intelligence services to learn about critical software and system vulnerabilities.

Summary

While WordPress remains the most widely adopted solution within the Content Management System (CMS) space (boasting over 30 million installations as of May 2023 per CreativeMinds), its relative size makes it a prime target for would-be attackers and Advanced Persistent Threats (APT) outfits. This article demonstrated the widespread adoption of vulnerable software components in WordPress installations and how simple it can be for bad actors to achieve successful exploitation given the right mix of available ingredients.

Organizations owe it to their customers, stakeholders, and business partners to ensure defense in depth approaches are instituted against internet-accessible assets, lest they face becoming another negative news statistic. Long-standing malware campaigns like Balada continue to enjoy success due to lackadaisical approaches to cybersecurity best practices. It is time for organizations to step up their game when it comes to cyber resiliency and flip the script on these bad actors.


More from Cybernews:

I’m addicted to apps and I’m not asking to be rescued

The University of Manchester hit with cyberattack

Hackers have been sitting on MOVEit bug for 2 years

French Senate gives green light to surveillance through cameras and microphones

ANOM ‘sting’ app leads to $5M bounty offer by FBI

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked