Researchers have found out how hackers still manage to stay afloat.
While monitoring websites, the Cybernews threat research team detected the activity of the Balada Injector malware, which targets WordPress sites. As a result of the study, it turned out that the virus is masked and uses new domain names to bypass security systems. According to PublicWWW, the virus affected more than a thousand sites.
How Balada Injector Works
The site "spatialreality[.]com"served as the starting point of the study. Instead of displaying the main page of the site, the user was prompted to download a PHP file. The file contained malicious code that allowed you to remotely access the infected machine and manage ad campaigns based on redirects.
Highlights of the Balada Injector campaign
Balada Injector has been active since 2017. In this case, 7 automated attacks on a vulnerable WordPress site were detected.
Malicious scripts were downloaded from various domains. The scripts not only redirected users to sites with a dubious reputation, but also tried to track the user by installing spyware extensions or other software.
At one of the addresses under study, the site looked normal, but a malicious JavaScript file was uploaded to the user's browser via favicon.ico.
Cybercriminals use randomly generated domains and regularly change them when old domains are detected and marked as malicious. All domains and subdomains involved in the attack are associated with the same threat actor.
The study confirms that Balada Injector continues to be a serious threat in cyberspace, and highlights the need for continuous monitoring and updating of security systems.
Earlier, Sucuri specialists said that since 2017, a total of more than a million WordPress-based websites have been infected with Balada Injector. Attacks are known to occur in waves-once every few weeks.
While monitoring websites, the Cybernews threat research team detected the activity of the Balada Injector malware, which targets WordPress sites. As a result of the study, it turned out that the virus is masked and uses new domain names to bypass security systems. According to PublicWWW, the virus affected more than a thousand sites.
How Balada Injector Works
The site "spatialreality[.]com"served as the starting point of the study. Instead of displaying the main page of the site, the user was prompted to download a PHP file. The file contained malicious code that allowed you to remotely access the infected machine and manage ad campaigns based on redirects.
Highlights of the Balada Injector campaign
Balada Injector has been active since 2017. In this case, 7 automated attacks on a vulnerable WordPress site were detected.
Malicious scripts were downloaded from various domains. The scripts not only redirected users to sites with a dubious reputation, but also tried to track the user by installing spyware extensions or other software.
At one of the addresses under study, the site looked normal, but a malicious JavaScript file was uploaded to the user's browser via favicon.ico.
Cybercriminals use randomly generated domains and regularly change them when old domains are detected and marked as malicious. All domains and subdomains involved in the attack are associated with the same threat actor.
The study confirms that Balada Injector continues to be a serious threat in cyberspace, and highlights the need for continuous monitoring and updating of security systems.
Earlier, Sucuri specialists said that since 2017, a total of more than a million WordPress-based websites have been infected with Balada Injector. Attacks are known to occur in waves-once every few weeks.
