Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023
More than 17,000 WordPress websites have been compromised in the month of September 2023 with malware known as Balada Injector, nearly twice the number of detections in August.
Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Initial Infiltration:
The attackers exploit exposed Docker API instances, delivering malicious payloads disguised as legitimate tools.
These payloads leverage the chroot command to escape container confines and gain access to the host system.
The malware creates backdoors by adding SSH keys and hidden user accounts, granting attackers persistent access.
A custom script hides processes, making detection even more challenging.
Exfiltrating Valuable Data:
The campaign employs various scripts to steal credentials from cloud service providers, environment variables, and even Docker containers.
This stolen data grants attackers deeper access to networks and potentially sensitive information.
Commando Cat deploys a custom XMRig miner disguised as Docker components, siphoning off computing power for crypto mining.
The malware even eliminates competing miners, ensuring it gets the biggest slice of the resource pie.
Securing Its Turf:
The campaign blackholes the Docker registry to prevent other attackers from interfering, effectively isolating the infected system.
This “scorched earth” tactic highlights the ruthlessness of this campaign.
Key Takeaways:
Commando Cat employs sophisticated evasion techniques, making it difficult to detect and remove.
Its focus on stealing credentials and cryptojacking reveals its profit-driven motives.
The campaign’s association with previously observed malware suggests the existence of copycat groups exploiting established tactics.
Users and organizations must patch vulnerabilities, secure Docker API endpoints, and implement robust endpoint detection and response (EDR) solutions.
Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.