SocGholish, also known as FakeUpdates, has been a dominant cyber threat; however, Balada has recently been observed more frequently in attempted malware campaigns. Both types of malware are considered loaders that exploit vulnerable website infrastructure to perform reconnaissance and deploy malicious payloads, such as remote access trojans (RATs), information stealers, and ransomware.

The NJCCIC’s email security solution detected an uptick in emails containing URLs linking to websites compromised with Balada injects. Fifteen campaigns have been detected since January. The email messages, URLs, and domains may appear legitimate but are routing traffic maliciously. Balada injects malicious web scripts that redirect visitors to scam sites promoting fake tech support, fraudulent lottery wins, and push notification scams that trick users into subscribing to push notifications through fake CAPTCHA pages.

The Balada threat actor typically attempts to maintain persistent control of compromised websites by creating accounts with administrator privileges. If the legitimate administrator removes the redirection scripts but fails to delete the fake administrator accounts, the threat actor can use the existing administrator access to add new malicious redirection scripts. According to Sucuri security analysts, over one million websites have been compromised by Balada malware since its discovery in 2017.

The most recent campaign can be identified by its preference for String.fromCharCode obfuscation and the use of freshly registered domain names hosting malicious scripts on random subdomains. These domain names often contain two or three English words strung together, e.g., links[.]fitness4lyfe[.]com; infotechhub[.]today; and admin[@]thebulletexpress[.]com.

Recommendations

• WordPress website administrators are encouraged to carefully inspect both website and event logs for signs of infection using the indicators of compromise in the Sucuri blog post.
• Regularly monitor and check for backdoor code and the addition of any admin accounts.
• Keep all website themes, plugins, and other software up to date, remove unused plugins and themes, and utilize a web application firewall.
• Inspect, clean, and protect all websites hosted under the same server account.
• Isolate important websites with separate server accounts to prevent malware propagation from neighboring websites.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.

For any further questions, contact us here at Cyber Command.