Balada Injector still at large – new domains discovered

The Balada Injector is still at large and still evading security software by utilizing new domain names and using new obfuscation.

During a routine web monitoring operation, we discovered an address that led us down a rabbit hole of WordPress-orientated “hack waves” caused by the Balada Injector malware. This evidence suggests that the malware is still at large and still evading security software by utilizing new domain names and slight changes between the waves of obfuscated attacks.

How Ballada Injector works

The starting point of the research that ensued following the discovery was a website at address spatialreality[.]com which appeared during routine web monitoring. The address led to what appeared to be a WordPress-powered website, which, upon visiting, downloaded a PHP file onto the user’s computer instead of serving the landing page.

While PHP files are usually processed by a website’s back-end, this time it was downloaded instead, due to syntax errors within it. This revealed to us the injected exploit code responsible for remote access to infected machines and redirect-based malvertising scheme control. Within the file, there were seven brackets of PHP tags and each of them contained an obfuscated piece of code within.

The PHP tags were stacked on top of each other, having legitimate code of the website at the very bottom. Therefore, if the syntax was correct, it ran the malicious code before serving the actual website being visited.

Upon further inspection, we were able to ascertain that the initial website we were investigating had fallen susceptible to at least seven waves of these automated attacks by one or more malware operators and had four different payloads within the investigated file, each of which was delivered through successful vulnerability exploitation.

During the research, we managed to deobfuscate and examine some of the PHP payloads that revealed URLs of newly spawned Command & Control endpoints and subsequent obfuscated JavaScript files used in the operation scheme.

Upon extracting the list of URLs from the malicious PHP and JavaScript code blocks, we looked up the number of websites that had the discovered indicators of compromise within their code by using specially crafted queries on PublicWWW Search Engine to understand the spread of the attack more clearly.

Key takeaways

  • The Balada injector is a malware family known to be active from 2017 to the present day. It employs multiple attack vectors and persistence mechanisms. For example, in the researched case, we noticed a likely outcome of seven automated attack waves against a vulnerable WordPress website, each adding a block of malicious PHP code straight into the index file of the compromised website, which executes the malicious scripts upon being visited. Fortunately for us, the automated attack waves seem to lack functionality for evaluating whether the site has been compromised before. This results in situations where, rather than executing malicious code injected by the attackers, a file is downloaded instead of containing the injected payload.
  • Each iteration of the injected PHP code block researched during this investigation was injected on top of the previous one and appears to be responsible for two operations. One, deploying a script written with JavaScript into the document being rendered for every site visitor if specific conditions are met. And two, opening a backdoor within the compromised website for further exploitation, which can then be accessed remotely through a specifically crafted query.
  • We have found the following URLs being accessed to load malicious JavaScript onto the exploited websites:
    • https[:]//get[.]sortyellowapples[.]com/scripts/get[.]js?v=7.5;
    • https[:]//step[.]firstblackphase[.]com/scripts/source[.]js;
    • https[:]//for[.]firstblackphase[.]com/trbbbbb0;
    • https[:]//stock[.]statisticline[.]com/scripts/trick[.]js;
    • https[:]//block[.]descriptionscripts[.]com/scripts/step[.]js?v=1.0.3
  • The scripts referenced above requested the execution of subsequent scripts from other addresses. The scripts were responsible not only for causing website redirection – resulting in the monetary gain of the threat actor on questionable reputation websites – but also for having the capability to read and write cookies on the end-user’s device. Furthermore, they attempted to track the user and install malicious extensions or other software on the end user’s device.
  • The scripts loaded through descriptionscripts[.]com addresses listed previously subsequently loaded other scripts from the following URLs:
    • https[:]//block[.]descriptionscripts[.]com/main[.]js;
    • https[:]//fire[.]descriptionscripts[.]com/get[.]php?wid=215315&sid=32463463&gid=24563463
  • The scripts loaded through sortyellowapples[.]com address subsequently tried to load the following URL:
    • https[:]//stats[.]statisticline[.]com/Y1hjNr?&se_referrer=&default_keyword=&&_cid=d4781ca6-febb-b55e-c21a-3eadeb9b0105
  • One of the investigated addresses (descriptionscripts[.]com) is also accessible through the browser and has a landing page. While the landing page states that a website is under development, it’s another attack vector for the threat actor. At first sight, the website does not appear special or important. On the other hand, an inspection of the network tab shows that it’s loading JavaScript onto the user’s browser through the favicon.ico file. Normally, this is responsible for the pixelated picture within the user’s browser and is queried automatically by the browser, but in this case, it delivers a malicious javascript file with the same code as the one that was injected into the compromised website.
  • PublicWWW reported the following statistics when queried with malicious script URLs:
    • https[:]//get[.]sortyellowapples[.]com/scripts/get[.]js?v=7.5 – 334 sites
    • https[:]//step[.]firstblackphase[.]com/scripts/source[.]js – 821 sites
    • https[:]//for[.]firstblackphase[.]com/trbbbbb0 – 959 sites
    • https[:]//stock[.]statisticline[.]com/scripts/trick[.]js – 1413 sites
    • https[:]//block[.]descriptionscripts[.]com/scripts/step[.]js?v=1.0.3 – 312 sites
  • It seems that the attackers use randomly generated domains bought via providers that allow anonymous purchases. They also consistently switch them when old ones get detected and flagged as malicious. Malware operators also utilize the rental of “virtual private servers” and “shared hosting” services from various hosting providers in countries such as Ukraine and Germany, where the scripts were hosted. Certain specific indicators reveal that all of the domains and subdomains implicated in the attack are linked to the same threat actor. Some of these domains are interconnected during the script execution phases, as they call upon one another. Additionally, some of them exhibit similar methods of obfuscation and exploitation, suggesting their interconnection. Furthermore, some of these domains either share the same IP address or possess a shared SSL certificate, as illustrated in the table presented below.

Significance to web users

Balada Injector is a serious threat to web users as it affects vulnerable versions of WordPress based websites (WordPress based websites amount to almost 43% of all known websites). The malware family is known to operate since 2017 and remains at large, as described by Sucuri in the articles linked below.


This research revealed new domain names used for hosting malicious JavaScript payloads of Balada Injector that went unreported, and remain so at present. The articles explain various quirks in the malware’s automated attack behavior.

If you want to receive mitigation advice, give a look at the original post published by CyberNews @

About the author: Cybernews Team

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Balada Injector)

The post Balada Injector still at large – new domains discovered appeared first on Security Affairs.

文 » A