Websites using WordPress were compromised in September 2023 with Balada Injector malware, double the number in August.
According to The Hacker News, up to 9,000 websites have been compromised through a recently disclosed security vulnerability in the tagDiv Composer extension (plugin) on the WordPress platform. This error helps hackers without authentication to still insert malicious code into the web application source code.
Sucuri security researchers say this is not the first time the Balada Injector group has targeted vulnerabilities in tagDiv themes. A large-scale malware infection occurred in the summer of 2017, in which two famous WordPress themes Newspaper and Newsmag were actively exploited by hackers
The main purpose of these activities is to direct users visiting the compromised website to technical support pages, fake lottery winnings, and phishing notices. More than 1 million websites have been affected by Balada Injector since 2017.
Major activities involve exploiting the CVE-2023-3169 vulnerability to inject malicious code and establish access to websites by installing backdoors, adding malicious plugins, and creating administrators to control the website.
Sucuri describes this as one of the complex attacks performed by an automated program that mimics the process of installing a plugin from a ZIP archive and activating it. The waves of attacks observed in late September 2023 used random code injection to download and launch malware from remote servers to install the wp-zexit plugin on WordPress websites
