A new malware campaign dubbed Sign1 has wreaked havoc on over 39,000 websites in the past six months, inducing unwanted redirects and popup ads for unsuspecting visitors.
The modus operandi of the threat actors behind Sign1 involves injecting the malware into custom HTML widgets and legitimate plugins on WordPress sites, rather than tampering with the core WordPress files. This infiltration method allows the malicious Sign1 scripts to go undetected, complicating efforts to mitigate the threat.
The discovery of the campaign came to light when website security firm Sucuri encountered a client whose website began displaying popup ads randomly to visitors. While Sucuri's client fell victim to a brute force attack, the precise methods used to compromise other affected sites remain undisclosed. However, likely, a combination of brute force attacks and exploitation of plugin vulnerabilities facilitated the breaches.
Once access is gained, the threat actors leverage WordPress custom HTML widgets or the widely-used Simple Custom CSS and JS plugin to inject the malicious JavaScript code. Notably, Sign1 employs time-based randomization to generate dynamic URLs, changing every 10 minutes to evade detection. Additionally, the domains used in the attacks are registered shortly before deployment, avoiding blocklists.
The injected code employs XOR encoding and obfuscates variable names to evade detection by security tools. It selectively executes based on specific referrers and cookies, targeting visitors from major sites such as Google, Facebook, Yahoo, and Instagram. Moreover, the malware creates a cookie on the visitor's browser to limit popup displays, reducing the likelihood of detection by website owners.
Upon execution, the malicious script redirects visitors to scam sites, such as fake captchas, aiming to deceive users into enabling browser notifications. These notifications subsequently deliver unwanted advertisements directly to users' desktops.
Sucuri warns that Sign1 has evolved, with infections surging whenever a new version of the malware is deployed. In the most recent attack wave, which commenced in January 2024, over 2,500 sites have fallen victim to the campaign.
To safeguard against such threats, website administrators are advised to employ strong, lengthy passwords, keep plugins updated, and eliminate unnecessary add-ons that could serve as potential attack vectors. By remaining vigilant and implementing proactive security measures, website owners can mitigate the risks posed by evolving malware campaigns like Sign1.
