Balada Injector Malware Campaign Detection: Hackers Exploit a tagDiv Composer Vulnerability Infecting Thousands of WordPress Sites
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
- UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military - 18.04.2024
Table of contents:
Over a month ago, defenders warned the peer community of CVE-2023-4634, a critical WordPress vulnerability actively exploited in the wild and impacting an overwhelming number of WordPress sites across the globe. Following that campaign, another malicious operation comes to the forefront. A fresh surge in the long-lasting Balada Injector malware campaign has already impacted over 17,000 WordPress websites, with more than half of which exposed to the exploitation of the tagDiv composer vulnerability known as CVE-2023-3169. As over 45% of all websites on the Internet rely on WordPress, it’s essential for security teams to promptly address any identified vulnerabilities in the popular CMS plugins and themes.
Detect the Balada Injector Malware Campaign Leveraging a tagDiv Composer Vulnerability
The increasing volumes of security flaws discovered in popular software leveraged by thousands of users and millions of websites can be an alarming menace to the organizations’ defense in case of vulnerability exploitation. To help security teams stay ahead of the curve, SOC Prime curates a new Sigma rule to detect the latest Balada Injector malware campaign exploiting the tagDiv composer vulnerability. Follow the link below to access the relevant Sigma rule for CVE-2023-3169 exploit detection and automatically convert the code to one of the 18 SIEM, EDR, XDR, or Data Lake language formats:
The detection written by our prolific Threat Bounty Developer, Aung Kyaw Min Naing, is mapped to the MITRE ATT&CK framework and addresses the Initial Access tactic with the Exploit Public-Facing Application (T1190) as its corresponding technique. Tap into SOC Prime’s crowdsourcing program for detection engineering to hone Sigma and ATT&CK skills and advance in your career by producing your own detection code and sharing it with industry peers.
Click Explore Detections for more CTI-enriched Sigma rules to proactively detect the long-running Balada Injector malware campaign potentially exposing thousands of WordPress sites to destructive intrusions.
Balada Malware Analysis: A Persistent Campaign Using the Stored XSS Vulnerability in the tagDiv Composer
A new wave of long-running Balada Injector operations has affected 17,000+ WordPress sites. For over half a decade, this offensive campaign has stirred the threat landscape by weaponizing theme and plugin bugs.
Balada Injector attacks first came to notice at the end of 2022 leveraging multiple exploits for the popular WordPress plugin along with theme security bugs to deploy a Linux-based backdoor as part of cybercriminal activity.
In the current campaign, adversaries exploit the cross-site scripting (XSS) vulnerability in tagDiv Composer tracked as CVE-2023-3169, which is an accompanying tool used for tagDiv’s Newspaper and Newsmag themes. According to the WordPress plugin advisory on security vulnerabilities, successful exploitation attempts can lead to XSS attacks. The latest campaign dates back to mid-September, shortly after issuing the CVE-2023-3169 details in the WordPress security advisory and the PoC release. Notably, a recent Sucuri research uncovers an earlier incident in the summer of 2017 when Balada Injector operators actively abused security flaws in Newspaper and Newsmag WordPress themes to compromise the targeted systems.
An identifying trace of the CVE-2023-3169 exploitation is the presence of a harmful script injected within particular tags, while the obfuscated injection itself can be located in the “wp_options” table of the WordPress database. Sucuri states adversaries have long been striving to gain persistent control over impacted devices by implanting backdoors, deploying weaponized plugins, and generating rogue WordPress admin users. In the current campaign, hackers experiment with novel offensive techniques and tools while also changing their injected scripts, leveraging diverse domains and subdomains simultaneously, weaponizing CloudFlare, and targeting admin accounts in a number of ways.
To timely safeguard your infrastructure, defenders recommend updating the tagDiv Composer plugin to v4.2, as in this version the uncovered XSS flaw is fully patched. Furthermore, ensure that all your WordPress themes and plugins are kept up-to-date, delete inactive user accounts, and perform continuous scans for potential Balada Injector malware presence.
Keeping up with the ever-changing attack surface fuels the need for strengthening detection engineering and hunting capabilities. Try Uncoder AI, an ultimate IDE for detection engineering, to streamline your rule generation and validation with automated syntax and logic checks, enrich your code with tailored intelligence, and auto-parse IOCs into custom search queries for retrospective hunts right in your SIEM or XDR environment.
