Beware of Balada Malware Injection Targeting WordPress

Beware of Balada Malware Injection Targeting WordPress

While reports of this vulnerability have been widely circulated on the Internet, this article will focus on the widespread and highly persistent malware injection campaign “Balada”.

CyberNews recently published an article detailing “Balada,” a malware injection campaign targeting WordPress that has infiltrated over 1 million websites.

In April 2023, tech outlets such as Bleeping Computer and TechRadar began reporting that cyber attackers exploited vulnerabilities to attack WordPress, gaining access through a combination of popular plugins Elementor Pro Premium (web page builder) and WooCommerce (online storefront).

It is reported that the CVSS score of this vulnerability has reached 8.8 points, but until May 2023, the official CVE number has not yet been determined.

Sites running Elementor Pro 3.11.6 or earlier and with the WooCommerce plugin activated are recommended to upgrade ElementorPro to at least 3.11.7, otherwise they risk authenticating users gaining full control of the site by exploiting compromised access controls, an OWASP Top Ten The most serious of risks.

While reports of this vulnerability have been widely circulated on the Internet, this article will focus on the widespread and highly persistent malware injection campaign “Balada”.

What is Balada?

Cybersecurity firm Sucuri has been tracking the Balada injection campaign since 2017, but only recently gave the long-running campaign a name.

Balada typically exploits known but unpatched WordPress plugins and other software vulnerabilities to achieve an initial infection, and then spreads and maintains persistence by executing a series of orchestrated attack strategies, cross-site infections, and installing backdoors.

Since Elementor Pro and WooCommerce compromise paths allow authenticated users to modify WordPress configuration, create admin accounts, or inject URL redirects into site pages or posts, Balada can steal database credentials, archive files, log data, or insufficiently protected Value documents while establishing numerous command and control (C2) channels for persistence.

Sucuri noted that the Balada injection campaign follows a defined monthly schedule, typically starting on weekends and ending around midweek.

Balada primarily utilizes Linux-based hosting, but Microsoft-based web servers such as IIS are not immune.

Balada follows what has been done in other contemporary malware campaigns, utilizing newly registered domains composed of random, unrelated words to lure victims to click and redirect them to websites serving malicious payloads.

These sites often come under the guise of fake IT support services, notifications of cash rewards, or even security verification services like CAPTCHAs.

Figure 1 summarizes the initial attack vectors that Balada will seek to exploit, the services or plugins it attempts to abuse, and some recognized persistence vectors. Once a balada is implanted, it is very difficult to remove.

Identifying Balada injections

Sucuri’s research further confirms that Balada’s main malware routine is typically located in the “C:/Users/host/Desktop/balada/client/main.go” path on infected devices.

A semi-maintained Virus Total collection highlights common file hashes, URLs, and other indicators related to the Balada-provided malware and its infections.

Sucuri has also repeatedly observed in compromised machine logs that, beginning in late 2020, Balada leverages an outdated but recurring user agent “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 84.0.4147.125 Safari/537.36”.

Since 2017, Balada campaigns have been associated with more than 100 unique domains. Balada utilizes the “main.ex_domains” feature to store and reuse domains for future attacks in monthly infection campaigns.

The list in Figure 2 highlights a small subset of common domains observed in recently analyzed Balada injection campaigns.

Defensive measures

In addition to keeping your web server host, website plugins, themes, or related software up-to-date for Balada infection prevention, you should also keep your DNS safe and secure with solutions like Cisco Umbrella or DNSFilter.

These features can provide a network-level or roaming client solution to identify and block redirection attempts and DNS requests from known malicious websites.

Organizations should also enforce strong password policies, privileged users must meet multi-factor authentication or other conditional access policies, and creating privileged accounts should alert appropriate teams. In addition, companies should consider implementing or regularly evaluating the following:

Regularly audit web applications for necessary plugins, themes, or software, and remove any unnecessary or unused software.
Conduct internal and routine penetration testing or similar assessments against web applications to identify exploitable weaknesses prior to Balada.
Enables File Integrity Monitoring (FIM) on critical system files.
Strictly limit access to sensitive files such as wp-config, website backup data, log files or database archives, and ensure a data retention policy that purges old versions of this data when they are no longer needed.
Disable unnecessary or insecure server services and protocols, such as FTP.