A new wave of the Balada Injector malware campaign is currently targeting a known vulnerability in the popular Popup Builder WordPress plugin.
This vulnerability was originally disclosed in November 2023, and a previous campaign was documented in January. Security researchers now witness a significant escalation.
According to PublicWWW, over 3,300 websites have already been infected by this new campaign.
These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024:
- ttincoming.traveltraffic[.]cc
- host.cloudsonicwave[.]com
Malicious code and indicators of compromise
The attackers exploit a known vulnerability in the Popup Builder WordPress plugin to inject malicious code that can be found in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table.
Here are two variations of the malicious code that can be found in the database of infected websites:
These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose. The events fire at different stages of the legitimate site’s popup display process.In some variations, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.
We strongly recommend updating to the latest version of this plugin.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.