Thousands of WordPress sites using vulnerable versions of the Popup Builder plugin have been compromised by a bug called ballad injector.
Doctor Web first documented the campaign in January 2023, which took the form of a series of periodic attack waves that exploited security vulnerabilities in WordPress plugins to inject backdoors designed to redirect visitors to infected sites to fake technical support pages, defrauding Sex Lottery Winning and Push Notification Scams.
Sucuri’s follow-up findings revealed the scale of the operation, which is said to have been active since 2017 and has penetrated at least 1 million sites since then.
The website security company owned by GoDaddy detected the latest Balada injector activity on December 13, 2023, and said it found injection behavior on more than 7,100 websites.
The attacks exploit a high-severity flaw (CVE-2023-6000, CVSS score: 8.8) in Popup Builder — a plugin with more than 200,000 active installations — that WPScan publicly disclosed the day before. This issue has been resolved in version 4.2.3.
“Successfully exploiting this vulnerability could allow an attacker to perform any action on the target website that the logged-in administrator they targeted could perform, including installing arbitrary plug-ins and creating new rogue administrator users,” said WPScan researcher Marc Montpas.
The end goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com and use it to take control of the website and load additional JavaScript to facilitate malicious redirects.
Additionally, the threat actors behind Balada Injector are known to establish persistent control over infected websites by uploading backdoors, adding malicious plug-ins, and creating rogue blog administrators.
This is usually done by using JavaScript injection to specifically target logged in webmasters.
“The idea is that when a blogger logs into the site, their browser contains cookies that allow them to perform all administrative tasks without having to authenticate themselves on each new page,” Sucuri researcher Denis Sinegubko pointed out last year.
“So if their browser loads a script that attempts to simulate administrator activity, it will be able to perform almost any action that can be done through the WordPress admin interface.”
New Wave is no exception. If a login management cookie is detected, it will use elevated privileges to install and launch a rogue backdoor plug-in (“wp-felody.php” or “Wp Felody”) in order to obtain the second one from the above The domain’s stage payload.
The payload is another backdoor that is stored under the name “sasas” in the directory where temporary files are stored, then executed and deleted from the disk.
“It checks three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account,” Sinegubko said.
“It then modifies the wp-blog-header.php file in the root of the detected website to inject the same Balada JavaScript malware originally injected via the Popup Builder vulnerability.”
