Threat Research

Balada Injector: Investigating Malware Exploiting WordPress Vulnerabilities

DarkTrace

Darktrace analyzed Balada Injector campaigns that exploit WordPress plugins and themes (notably CVE-2023-3169 in the tagDiv composer) to inject backdoors, create admin accounts, and exfiltrate data via TLS/HTTPS to newly registered domains. Darktrace DETECT identified anomalous TLS connections, JA3 fingerprints, and beaconing to C2 domains like stay.decentralappps[.]com, enabling visibility and investigation; responders could have blocked these via RESPOND. #BaladaInjector #WordPress #tagDiv #Darktrace

Keypoints

  • Balada Injector targets WordPress plugins/themes (e.g., tagDiv composer) to inject backdoors and malicious plug-ins like ‘wp-zexit’.
  • Attack patterns occur in recurring spikes and include HTML/database/file injections, admin account creation, and script redirects to malicious domains.
  • Darktrace observed TLS/SSL C2 connections to newly-registered domains (e.g., stay.decentralappps[.]com, cdn.dataofpages[.]com) and rare IPs, often using browser-like JA3 fingerprints.
  • Observed behaviors included repeated connections over days consistent with beaconing and potential C2, flagged by DETECT models and investigated by Cyber AI Analyst.
  • Common IOCs: multiple malicious hostnames and IPs (examples: stay.decentralappps[.]com, cdn.dataofpages[.]com, 88.151.192[.]254, 111.90.141[.]193) and JA3 TLS fingerprints used to impersonate browsers.
  • Darktrace’s anomaly-based DETECT identified affected devices without signature updates; RESPOND could have autonomously blocked malicious endpoints to contain threats.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The campaign exploited a WordPress plugin vulnerability to gain initial access. (‘exploited a cross-site scripting (XSS) vulnerability in CVE-2023-3169 associated with the tagDiv composer plug-in’)
  • [T1505] Server Software Component (Web Shell / Backdoor) – Attackers injected backdoors and installed a malicious plugin to execute PHP and maintain persistence. (‘inject a backdoor that could execute PHP code and install a malicious WordPress plug-in, namely ‘wp-zexit’’)
  • [T1078] Valid Accounts – The malware created autogenerated WordPress administrator accounts to gain ongoing administrative capabilities. (‘create blog administrators who can perform administrative tasks without having to authenticate’)
  • [T1071.001] Application Layer Protocol: Web (HTTP/S) – C2 and beaconing occurred over HTTPS/TLS to malicious domains and endpoints. (‘much of the activity appeared to be associated with TLS/SSL connectivity, related to Balada Injector endpoints’)
  • [T1041] Exfiltration Over C2 Channel – Sensitive site data (database credentials, archives, logs) was collected and exfiltrated via C2 channels. (‘exfiltrates sensitive information, such as database credentials, archive files, access logs’)
  • [T1573] Encrypted Channel – Attackers used TLS/SSL and JA3 impersonation to hide C2 traffic and mimic legitimate browser fingerprints. (‘the normalized JA3 fingerprints… able to impersonate the TLS signatures of browsers’)

Indicators of Compromise

  • [Hostname] Balada C2/endpoints – stay.decentralappps[.]com, cdn.dataofpages[.]com, and other domains such as js.statisticscripts[.]com, collect[.]getmygateway[.]com
  • [IP Address] Observed C2 hosts – 88.151.192[.]254, 111.90.141[.]193, and other IPs including 185.39.206[.]161 and 2.59.222[.]121
  • [JA3/ TLS fingerprints] TLS client fingerprints observed in C2 connections – 473f0e7c0b6a0f7b049072f4e683068b, aa56c057ad164ec4fdcb7a5a283be9fc (the latter linked to curl_cffi TLS impersonation)
  • [User-Agent strings] Observed in C2 connections – examples include ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)’ and ‘Chrome/117.0.0.0’ used during malicious connections

Darktrace observed Balada Injector exploiting WordPress plugin flaws (notably CVE-2023-3169 in tagDiv composer) to inject backdoors, upload malicious plugins (e.g., ‘wp-zexit’), and create unauthorized admin accounts. Intrusions used HTML/database/file injection techniques to plant PHP-executing backdoors and malicious plugins that allowed administrative actions and data access.

Compromised hosts made repeated TLS/HTTPS connections to newly registered malicious domains (examples: stay.decentralappps[.]com, cdn.dataofpages[.]com, js.statisticscripts[.]com) and rare IPs; defenses noted JA3 fingerprints (e.g., 473f0e7c…, aa56c057…) indicating TLS impersonation tools like curl_cffi. These patterns—repeating connections over days, TLS connections without normal SNI/behavior, and redirects to malicious scripts—were consistent with C2 beaconing and data exfiltration of database credentials, logs, and archives.

Darktrace DETECT flagged anomalous external activity and SSL beaconing, and Cyber AI Analyst linked isolated events into broader C2 incidents. Where RESPOND was not active, autonomous blocking could have prevented further connections to known Balada domains; defenders should monitor for rare/new domains, unusual TLS JA3 fingerprints, repeated outbound connections over days, and unexpected WordPress admin account creation.

Read more: https://darktrace.com/blog/balada-injector-darktraces-investigation-into-the-malware-exploiting-wordpress-vulnerabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint