Subscribe

Balada Injector Malware Resurfaces, Exploiting Popup Builder Vulnerability
CYBER SECURITY

Balada Injector Malware Resurfaces, Exploiting Popup Builder Vulnerability

A new wave of the Balada Injector malware campaign is currently targeting a known vulnerability in the popular Popup Builder WordPress plugin.

This vulnerability was originally disclosed in November 2023, and a previous campaign was documented in January. Security researchers now witness a significant escalation.

According to PublicWWW, over 3,300 websites have already been infected by this new campaign.

These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024:

  • ttincoming.traveltraffic[.]cc
  • host.cloudsonicwave[.]com

Malicious code and indicators of compromise

The attackers exploit a known vulnerability in the Popup Builder WordPress plugin to inject malicious code that can be found in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table.

Here are two variations of the malicious code that can be found in the database of infected websites:

These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose. The events fire at different stages of the legitimate site’s popup display process.In some variations, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.

Buy Me A Coffee
SiteCheck currently detects this campaign’s injections as malware?pbuilder_injection.1.x

We strongly recommend updating to the latest version of this plugin.

READ
MoneyGram Confirms Data Breach Exposing Sensitive Customer Information in September Cyberattack

Related posts

Leave a Reply

Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SIGN UP FOR NEWSLETTERS

Please confirm your email address.