Widespread Infection of WordPress Sites Via Popup Builder Plugin Vulnerability

Bar Refael

January 16, 2024

A significant number of WordPress sites, estimated at over 7,100, have fallen victim to a malware campaign exploiting a vulnerability in the widely-used Popup Builder plugin. This malware, known as Balada Injector, was first reported by Doctor Web in January 2023 and has since leveraged security weaknesses in WordPress plugins to inject malicious backdoors. These backdoors redirect visitors to fraudulent websites, including tech support scams and fake lottery wins.

Technical Details:

The vulnerability in question, tracked as CVE-2023-6000 with a CVSS score of 8.8, was exposed by WPScan and subsequently patched in Popup Builder version 4.2.3. However, sites using older versions of the plugin remain at risk. The Balada Injector’s method involves inserting a malicious JavaScript hosted on specialcraftbox[.]com to assume control over affected sites.

Impact Assessment:

The scale of this campaign is extensive, with Sucuri reporting that it has been active since 2017, compromising over 1 million sites to date. The GoDaddy-owned security company detected fresh Balada Injector activity on December 13, 2023, with current incidents affecting over 7,100 sites.

Threat Actor:

The actors behind Balada Injector have established a pattern of persistent access by uploading backdoors, adding unauthorized plugins, and creating fake administrative accounts, thus retaining long-term control over the compromised sites.

Indicators of Compromise (IoCs):

  • Presence of rogue plugins such as “wp-felody.php” or “Wp Felody”
  • Modifications to the “wp-blog-header.php” file
  • Malicious JavaScript file requests from specialcraftbox[.]com
  • Unusual administrative activities without authentication

Mitigation Measures:

  • Immediate update of the Popup Builder plugin to version 4.2.3 to mitigate the vulnerability.
  • Comprehensive scans for indicators of compromise (IoCs) on all customer sites.
  • Deployment of advanced monitoring tools to detect and respond to suspicious activities.

Customer Guidance:

  • Review and update all WordPress installations and plugins to their latest versions.
  • Regularly audit user roles and privileges to ensure no unauthorized accounts exist.
  • Implement a robust web application firewall (WAF) to safeguard against future injection attempts.
  • Conduct regular backups and have a disaster recovery plan in place.

Recommendations for Immediate Action:

  • Scan for and remove any instances of the “wp-felody.php” or “Wp Felody” plugins.
  • Check the “wp-blog-header.php” file for unauthorized modifications.
  • Validate the integrity of all JavaScript being loaded on WordPress sites.

The Balada Injector campaign underscores the critical need for constant security awareness and proactive defense strategies. OP Innovate advises all customers to implement the recommended measures promptly to secure their digital assets.

Stay safe and informed,

OP Innovate.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.