According to a report from Sucuri, an estimated 1 million WordPress websites have been infected with malware from the Balada Injector campaign since 2017.
The security company of GoDaddy said that the Balada Injector campaign took advantage of vulnerabilities in plugins and themes (themes) discovered to attack WordPress websites in batches every few weeks.
Based on Doctor Web’s findings, the report details a line of Linux malware that exploits vulnerabilities in over 20 plugins and themes to infiltrate vulnerable sites. WordPress
Balada Injector has used more than 100 domains and many methods to exploit known security flaws, attackers will often find a way to get database credentials (stored in wp-config. php). Malware is designed to read or download files from websites such as backups, databases, logs, and errors as well as look for administrative tools (like phpmyadmin) that can be left behind by the website administrator after completing the maintenance task.
The malware also helps create a fake WordPress admin account, collects data stored in the underlying servers, and leaves backdoors to keep access constant. Balada Injector also searches for top-level directories associated with the compromised website’s file system to determine locations that may belong to other websites
Security experts say that it is common for compromised websites to share the same server account and the same file permissions. So compromising one website also makes granting access to several other websites possible.
Therefore, WordPress users should update the software on their website, remove unused plugins and themes, and use a strong WordPress admin password
The report comes just weeks after Palo Alto Networks unit 42 discovered a campaign that injects malicious JavaScript to redirect traffic to phishing and adware pages. More than 51,000 WordPress-based websites have been affected since 2022.
Unit 42 researchers said that malicious JS was injected into the homepages of more than half of detected WordPress websites. This is a common tactic used by campaigners to insert them into frequently used JS filenames like jQuery placed on the homepages of compromised websites
