Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

One of the most worrying WordPress malware threats is making a comeback

WordPress logo

The Balada Injector malware is alive and kicking, and compromising poorly protected WordPress websites across the internet, as well as using them to target visitors, new research has claimed.

A report from researchers at Cybernews claims to have found a compromised WordPress website during a “routine web monitoring operation”.

The compromised website was apparently targeted by the Balada Injector malware - a Linux-based backdoor used to infiltrate websites through common or otherwise known vulnerabilities in WordPress plugins, themes, and similar vulnerabilities. The Balada Injector is known for attacking in “waves” - every month or so, the injector would use a new domain name, and a new code, which it would try to add to the WordPress site’s code.

Waves of attacks

This particular site has had seven different instances of malicious code added and stacked on top of one another. That means that the website suffered seven “waves” of hacking attacks. This code, which was added to the very top of the page and would run before the website loaded, was meant to grant the attackers remote access to infected machines and redirect visitors to different websites with malvertising campaigns running.  

When the researchers deobfuscated and examined some of the PHP payloads found on the compromised website, they discovered URLs of newly spawned Command & Control (C2) endpoints, and subsequent obfuscated JavaScript files, used in the operation scheme. A total of five URLs were found being accessed to load malicious JavaScript onto exploited websites, the researchers said. 

The good news for potential victims is that the Balada Injector still isn’t as advanced as it could be. It doesn’t check if compromised websites have had malicious code added before, and because of that, instead of serving the landing page, the website forced the download of a PHP file, which raised red flags with the researchers and, at the end of the day, helped discover the hacking campaign.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.