A widespread malware campaign, Balada Injector, has compromised over 1,000 WordPress websites, infecting them with multiple backdoors to ensure long-term persistence. This highly evasive attack injects malicious JavaScript code, rogue plugins, and SSH-based exploits, making it extremely difficult for victims to fully remove the infection.
How Balada Injector Attacks WordPress Sites
The attack begins with automated vulnerability scanning, targeting outdated WordPress plugins, themes, and misconfigured installations. Once a vulnerability is found, the malware gains access and deploys four different backdoors to maintain control over the infected site.
The Four Types of Backdoors Used
- Fake WordPress Plugin:
- The malware installs a fraudulent plugin named “Ultra SEO Processor”, allowing attackers to execute arbitrary commands remotely.
- This plugin disguises itself as a legitimate SEO tool while secretly injecting malicious scripts into website files.
- JavaScript Injection into Core WordPress Files:
- The malware modifies critical files like
wp-config.phpto inject malicious JavaScript. - This script redirects visitors to phishing pages, scam sites, and exploit kits designed to steal credentials or distribute malware.
- The malware modifies critical files like
- SSH Key Backdoor for Remote Access:
- Attackers inject SSH keys into the
~/.ssh/authorized_keysfile, granting them persistent remote access to the compromised server. - Even if a site owner removes the malicious plugin, this backdoor ensures the hacker retains control.
- Attackers inject SSH keys into the
- Remote Command Execution for Additional Payloads:
- The malware fetches secondary payloads from external hacker-controlled servers, allowing real-time updates and deeper system compromise.
- This backdoor can be used to execute reverse shells, escalate privileges, and deploy ransomware or cryptocurrency miners.
Why This Malware is Particularly Dangerous
The multi-layered approach of Balada Injector makes it difficult to detect and remove. Even if one backdoor is found and deleted, the remaining ones restore access, keeping the site compromised.
Hackers behind the campaign have also registered new domains and IPs regularly to avoid detection, making traditional security measures less effective.
How to Protect Your WordPress Site
- Update WordPress, plugins, and themes regularly – Most infections occur due to outdated or vulnerable software.
- Remove unused or suspicious plugins – If you don’t recognize a plugin, it may be malware.
- Check for unauthorized admin users and SSH keys – Remove any unknown accounts or SSH access permissions.
- Scan for modified core files – Run integrity checks to detect changes in
wp-config.phpand other WordPress system files. - Use a Web Application Firewall (WAF) – Prevent malicious bots from exploiting vulnerabilities.
- Monitor server logs for unusual activity – Sudden spikes in file modifications or outbound traffic can indicate an attack.
The Rising Threat to WordPress Websites
Balada Injector is just one of many growing threats against WordPress-powered websites, which account for nearly 40% of all websites on the internet. Attackers are continuously evolving their techniques, using automation and AI-powered scanning tools to exploit vulnerabilities at scale.
With this latest campaign, WordPress administrators must take proactive security measures to safeguard their websites, customer data, and business reputation.
