The Balada Bait & Switch

WordPress Injector Hijacks Websites for Lottery Scams & Redirects

• Catfishin' Malware: Balada Injector hijacked over 6,700 websites since December, redirecting visitors to fake popups and scams.

• Exploiting Rusty Tools: This attack used a vulnerability in the outdated Popup Builder plugin, highlighting the importance of software updates.

• Shady Destinations: Balada sends visitors to fake support pages, lottery scams, and push notification spam traps.

• Patch & Protect: Keep your WordPress themes and plugins updated, minimize unnecessary plugins, and be wary of suspicious redirections.

Y'all remember back in December when that nasty Balada Injector malware started whisperin' sweet nothings in the ears of over 6,700 WordPress websites? Turns out this ain't no holiday romance, folks, it's a full-blown catfishin' scheme aimed at stealin' your website traffic and sendin' folks to fake popups like a carnival barker with a smooth tongue.

This Balada critter ain't new, been playin' tricks since 2017, messin' with over 17,000 websites in its time. This latest stunt uses a sneaky little loophole in a WordPress plugin called Popup Builder, slippin' through like a possum under a fence. See, Popup Builder helps folks build fancy popups on their websites, but like any tool, if it ain't kept up-to-date, it can turn rusty and leave your site vulnerable.

That's exactly what happened, Balada saw this rusty loophole and pounced, injectin' malicious code like a spider spinnin' a web. This code redirects your visitors from your site to shady places like fake support pages, lottery scams, and even those annoying push notification popups that just won't quit. Talk about a buzzkill!

But here's the good news, folks: we ain't gotta just sit here and watch catfishin' Balada run wild. We can fight back, and it ain't rocket science. First things first, update your WordPress themes and plugins, especially that Popup Builder. Patch those holes like you mend a tear in your favorite fishin' net. Don't keep no software hangin' around lookin' rusty, that's just an invitation for trouble.

Next, keep your website lean and mean, like a well-built bass boat. No need for a cluttered deck with a million plugins you ain't usin'. The fewer bells and whistles, the less surface area for catfishin' critters to latch onto. Remember, sometimes less is more, especially when it comes to website security.

So, keep your software patched, your plugins pruned, and your eyes peeled for those fishy redirections. Balada might be a smooth talker, but we're smarter than catfish bait. Let's keep our WordPress websites safe and sound, one update and precaution at a time!

Balada Injector Malware: IOCs and TTPs

Indicators of Compromise (IOCs):

• Domains:

  • Hundreds of domains used for C&C and malicious redirections, often registered with Cloudflare and displaying registration patterns (e.g., sequential numbers).

  • Recent examples:

    • b92a6c4b[.]xyz

    • 2f50d54a[.]xyz

    • 90d4b230[.]xyz

• File Hashes:

  • Backdoor filenames:

    • wp-felody.php

  • Malicious JavaScript code fragments identified by Sucuri.

• WordPress:

  • Vulnerable versions of Popup Builder plugin (4.2.3 and older).

  • Modifications to wp-blog-header.php file injecting backdoor code.

  • Presence of "sgpbWillOpen" event hijacking in injected JavaScript.

• Other:

  • Push notification scams and fake lottery sites linked to the campaign.

Tactics, Techniques, and Procedures (TTPs):

• Exploiting Vulnerabilities: Targeting known WordPress plugin flaws like CVE-2023-6000 in Popup Builder.

• Code Injection: Injecting malicious JavaScript code through vulnerabilities or modified files to redirect visitors.

• Backdoors: Planting backdoors like "wp-felody.php" for remote access, command execution, and payload delivery.

• Domain Obfuscation: Using dynamic domain registration and Cloudflare to mask C&C server locations.

• Social Engineering: Redirecting visitors to deceptive popups and scams to steal data or lure clicks.

Additional Notes:

• Balada Injector is a long-standing threat, active since 2017, with over 17,000 compromised websites in total.

• The latest campaign highlights the importance of keeping software updated, especially WordPress plugins.

• Monitoring network traffic and website activity for suspicious behavior is crucial for early detection.

• Security researchers and organizations continue to track Balada Injector and update IOCs and TTPs as needed.