A new type of malware attack, known as Balada malware injection, has been discovered. This attack specifically targets Newspaper and Newsmag websites by exploiting a vulnerability in the tagDiv premium theme plugin. The flaw, which allows for unauthenticated cross-site scripting (XSS), was first disclosed in September.
The plugin is widely used, with over 135,000 users. This high number of users increases the risk associated with the attack.
Attackers are utilizing various tactics and techniques to evade detection and deceive users into visiting fake websites. The initial wave of attacks involved injecting two variants of the Balada injector into public WordPress pages. The first variant was detected on over 4,000 sites, while the second variant was found on another 1,000 websites.
In the second wave of attacks, the perpetrators created malicious admin usernames and email IDs for the targeted sites. This allowed them to initiate the infection process or plant backdoors.
During the third wave, the attackers inserted the malware injector into the Newspaper theme’s 404.php file. The fourth wave involved shifting the existing infection process to using a malicious wp-zexit plugin installation that imitated the original installation page.
In the fifth wave, which started on September 21, the attackers changed the injection location to the std_live_css_local_storage option in the WordPress database. They also registered three new domains within a span of seven seconds.
The sixth wave began on September 29 and included the use of multiple scripts that loaded malware from the subdomains of promsmotion[.]com.
This is not the first time that malware operators have exploited this plugin to target websites. In a previous large-scale campaign that lasted for five years, starting in 2017, over one million WordPress websites were infected. These infected sites had their subdomains injected with malicious scripts, redirecting visitors to scam sites offering fake tech support, fraudulent lottery winnings, and push notification scams.
To combat these threats, researchers have shared a list of malicious domains and IP addresses, aiding organizations in detecting the attacks. Users can protect themselves by updating the plugin to the latest version 4.2 and utilizing website scanners. Additionally, removing unwanted admin users and unnecessary plugins is recommended for enhanced security.