Malicious JavaScript injection campaign affects over 51,000 websites since 2022
According to a recent research by security firm Sucuri, a malware campaign called Balada Injector has infected over one million WordPress websites since 2017 by exploiting known vulnerabilities in themes and plugins.
The attackers use various methods, including String.fromCharCode obfuscation, to redirect users to fake tech support, lottery and CAPTCHA pages, and send spam ads.
The malware allows for the generation of fake WordPress admin users, harvesting of data, leaving backdoors for persistent access, and compromising other sites that share the same server account and file permissions.
WordPress users are advised to keep their software updated, remove unused plugins and themes, and use strong admin passwords. Recently, a similar malicious JavaScript injection campaign was uncovered, affecting over 51,000 websites since 2022.
Indicators of Compromise
| Domain |
|---|
| trackstatisticsss[.]com |
| accongestion[.]com |
| actraffic[.]com |
| admarketlocation[.]com |
| adsforbusines[.]com |
| adsformarket[.]com |
| adsrequestbest[.]com |
| adtrafficjam[.]com |
| backrocklondon[.]com |
| balanceformoon[.]com |
| balanceforsun[.]com |
| balantfromsun[.]com |
| becausenightisbetter[.]com |
| becauseshineisbetter[.]com |
| beforwardplay[.]com |
| belaterbewasthere[.]com |
| belazyelephant[.]com |
| belighterservice[.]com |
| bluelabelmoscow[.]com |
| bullgoesdown[.]com |
| buycongestion[.]com |
| buyittraffic[.]com |
| carlbendergogo[.]com |
| chatwithgreenbar[.]com |
| collectfasttracks[.]com |
| costsimpleplay[.]com |
| createrelativechanging[.]com |
| cuttraffic[.]com |
| dancewithlittleredpony[.]com |
| deliverblackjohn[.]com |
| denzzzelwashington[.]com |
| destinyfernandi[.]com |
| dexterfortune[.]com |
| donaldbackinsky[.]com |
| followmyfirst1[.]com |
| generallocationgo[.]com |
| giantttraffic[.]com |
| globallyreinvation[.]com |
| gotosecond2[.]com |
| greenlabelfrancisco[.]com |
| greenrelaxfollow[.]com |
| importtraffic[.]com |
| jockersunface[.]com |
| letsmakesomechoice[.]com |
| lightversionhotel[.]com |
| littleandbiggreenballlon[.]com |
| makesomethird3[.]com |
| postertraffic[.]com |
| primarylocationgo[.]com |
| privacylocationforloc[.]com |
| puttraffic[.]com |
| redfunchicken[.]com |
| redlabellondon[.]com |
| redrelaxfollow[.]com |
| requestfor4[.]com |
| resolutiondestin[.]com |
| speakwithjohns[.]com |
| specialthankselsa[.]com |
| startrafficc[.]com |
| stivenfernando[.]com |
| talktofranky[.]com |
| toupandgoforward[.]com |
| trafficlmedia[.]com |
| trasnaltemyrecords[.]com |
| traveltoscount[.]com |
| verybeatifulantony[.]com |
| wiilberedmodels[.]com |
| worldctraffic[.]com |
| yellowlabeltokyo[.]com |
| digestcolect[.]com |