A new wave of Balada malware injection attacks has been found exploiting a vulnerable tagDiv premium theme plugin to target Newspaper and Newsmag websites. The flaw in the question is an unauthenticated XSS vulnerability in the plugin that was first disclosed in September.The plugin is used by over 135,000 users, which emphasizes the risk associated with the attack.
1. The attackers are using different tactics and techniques to stay under the radar while duping users into visiting fake websites.
2. The first wave of attacks was launched by injecting two variants of Balada injector into public WordPress pages.
3. While the first variant was detected on over 4,000 sites, the second variant was found on another 1,000 websites.
4. In the second wave of attacks, the attackers created malicious admin usernames and email IDs for the targeted sites to initiate the infection process or to plant backdoors.
5. The third wave involved planting the malware injector in the Newspaper theme’s 404.php file.
6. Around September 17–18, in the fourth wave, the attackers shifted the existing infection process and began using a malicious wp-zexit plugin installation that mimicked the original installation page.
7. In the fifth wave, that started on September 21, attackers changed the location of the injection to the std_live_css_local_storage option in the WordPress database. Additionally, they registered three new domains within a period of seven seconds.
8. The sixth wave began on September 29 and involved several different scripts that loaded malware from the subdomains of promsmotion[.]com.
A similar incident in the past
This is not the first time that malware operators have leveraged the plugin to target websites. The malware injector was part of a massive campaign that infected over one million WordPress websites for around five years, starting in 2017. The subdomains of these WordPress sites were injected with malicious scripts that redirected visitors to scam sites including fake tech support, fraudulent lottery wins, and push notification scams.
Researchers have shared the list of malicious domains and IP addresses to help organizations detect such threats. Updating the plugin to the latest version 4.2 and using website scanners helps users prevent infection. Furthermore, it is recommended to remove all unwanted admin users and redundant plugins to stay safe.