Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017.
The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks.
"This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites," security researcher Denis Sinegubko said.
The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to 'Please Allow to verify, that you are not a robot,' thereby enabling the actors to send spam ads.
The report builds on recent findings from Doctor Web, which detailed a Linux malware family that exploits flaws in more than two dozen plugins and themes to compromise vulnerable WordPress sites.
In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file.
Additionally, the attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools like adminer and phpmyadmin that could have been left behind by site administrators upon completing maintenance tasks.
The malware ultimately allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access.
Balada Injector further carries out broad searches from top-level directories associated with the compromised website's file system to locate writable directories that belong to other sites.
"Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions," Sinegubko said. "In this manner, compromising just one site can potentially grant access to several other sites 'for free.'"
Should these attack pathways turn out to be unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are, therefore, recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
The activity, which also employs String.fromCharCode as an obfuscation technique, leads victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.
"The injected malicious JS code was included on the homepage of more than half of the detected websites," Unit 42 researchers said. "One common tactic used by the campaign's operators was to inject malicious JS code on frequently used JS filenames (e.g., jQuery) that are likely to be included on the homepages of compromised websites."
"This potentially helps attackers target the website's legitimate users, since they are more likely to visit the website's home page."