Skip to content Skip to footer

Massive Sign1 Malware Campaign Compromises 39,000 WordPress Sites

In cybersecurity, a new and insidious campaign called Sign1 has been wreaking havoc on sites, compromising over 39,000 in just the last six months alone. This malicious campaign is causing untold damage to individuals and businesses by utilizing malicious JavaScript injections to redirect unsuspecting users to scam sites.

As if that wasn't bad enough, the most recent variant has infected an estimated 2,500 sites in the past two months alone. This has left many scratching their heads and wondering how to protect themselves against such a pervasive and damaging cyber threat.

The attacks are carried out by injecting rogue JavaScript into legitimate HTML widgets and plugins, allowing arbitrary JavaScript and other code to be inserted. This gives attackers an easy way to add malicious code and wreak havoc on unsuspecting users.

To make matters worse, the XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server. This ultimately facilitates redirects to a VexTrio-operated traffic distribution system. But this is only if specific criteria are met, making it all the more difficult to detect and prevent this type of attack.

Moreover, the uses time-based randomization to fetch dynamic URLs that change every 10 minutes to circumvent blocklists. These domains are registered just a few days before being used in attacks, adding another layer of difficulty to the already complex task of detecting and preventing these attacks.

One of the most disturbing aspects of this code is that it specifically looks to see if the visitor has come from significant websites such as , Facebook, Yahoo, Instagram, etc. If the referrer does not match these critical sites, the will not execute. This shows the sophistication and attention to detail the attackers have employed in their malicious campaign.

Site visitors are then taken to other scam sites by executing another JavaScript from the same server, further compounding the issue and causing even more problems for unsuspecting users.

The Sign1 campaign, first detected in the second half of 2023, has gone through several iterations, with the attackers leveraging as many as 15 domains since July 31, 2023. The attack is suspected of using brute force. However, adversaries could also leverage security flaws in plugins and themes to obtain access.

Many injections are found inside custom HTML widgets that the attackers add to compromised websites. The attackers often install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin. This approach of not placing malicious code into server files allows the to stay undetected for extended periods, making it all the more difficult to detect and prevent.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What do all men with power want? More powerThe Oracle

Deitasoft © 2024. All Rights Reserved.