A recent surge in Balada malware injection attacks has targeted Newspaper and Newsmag websites, exploiting a vulnerability in the tagDiv premium theme plugin. The flaw in question is an unauthenticated Cross-Site Scripting (XSS) vulnerability initially disclosed in September, raising concerns due to the plugin's extensive user base of over 135,000 individuals.
Attack Strategies:
Attackers have employed various tactics to avoid detection while deceiving users into visiting counterfeit websites.
1. Initial Injections: The first wave of attacks saw the injection of two Balada injector variants into public WordPress pages, affecting over 4,000 and 1,000 sites, respectively.
2. Malicious Admin Creation: In the second wave, the attackers crafted malicious admin usernames and email IDs for targeted sites to initiate infections or implant backdoors.
3. Theme File Manipulation: The third wave involved implanting the malware injector within the Newspaper theme's 404.php file.
4. WP-ZExit Plugin: Around September 17–18, attackers shifted the infection method by using a malicious wp-zexit plugin installation that mimicked the original page.
5. Database Injection: Starting on September 21, the fifth wave relocated the injection to the std_live_css_local_storage option in the WordPress database. In addition, they registered three new domains in a mere seven seconds.
6. Multi-Script Approach: The sixth wave, commencing on September 29, employed multiple scripts that loaded malware from subdomains of promsmotion[.]com.
Historical Context:
This incident is not the first instance of malware operators targeting the tagDiv plugin. It was previously part of a large-scale campaign that infected over one million WordPress websites over approximately five years, starting in 2017. The subdomains of these WordPress sites hosted malicious scripts that redirected visitors to scam sites, including fake tech support, fraudulent lottery winnings, and push notification scams.
Preventive Measures:
To counteract such threats, researchers have shared a list of malicious domains and IP addresses for organizations to detect and mitigate risks. Users are advised to update the plugin to the latest version (4.2) and employ website scanners to prevent infections. Additionally, the removal of unwanted admin users and redundant plugins is recommended to bolster security.
By following these measures, website owners can safeguard their platforms against Balada malware attacks and enhance overall cybersecurity.
No comments:
Post a Comment