Monday, May 12, 2025
HomeCyber Security NewsSign1 Malware Hijacked 39,000 Wordpress Websites

Sign1 Malware Hijacked 39,000 WordPress Websites

Published on

SIEM as a Service

Follow Us on Google News

A client’s website was experiencing random pop-ups as server side scanner logs revealed a JavaScript injection related to Sign1, which is a malware campaign that targets websites and has infected over 2,500 websites in the past two months and uses challenging techniques to evade detection.  

Daily server-side scans are crucial to detect changes like new malware, examine website logs, and identify changes in plugins, particularly those allowing custom code injection. 

Plugin changes

The plugins are attractive to attackers because they enable embedding malicious code and an investigation revealed malicious code embedded within a seemingly harmless custom CSS and JS plugin. 

- Advertisement - Google News

While attackers abusing such plugins is common, this specific code displayed a unique and intriguing method.  

culprit nestled inside Custom CSS & JS

History Of The Sign1 Malware

Security researchers at Sucuri discovered a malware campaign targeting WordPress websites called Sign1, which injects malicious scripts into websites using custom HTML widgets or plugins. 

The malware uses base64-encoded parameters and time-based randomization to generate dynamic URLs that change every 10 minutes and fetch additional malicious scripts that can redirect visitors to scam sites or deliver unwanted ads. 

In the second part of 2023, it was also discovered to be a campaign, and researchers noticed that the malware was changing its concealment methods to avoid detection. 

Analysis Of The Malware

The code utilizes time-based randomization for verification purposes and retrieves the current Unix time (milliseconds since 1970-01-01) using Date.now(), which is then converted to seconds and aligned to a 10-minute interval, ensuring timestamps are consistent within that window. 

The value is expressed as a hexadecimal string, and a seemingly random string acts as a verification token, whereas requests for JavaScript files from a third-party domain include this token. 

use of the date.  now function near the top of the script

The server compares the token’s time component with the current time, likely rejecting requests with outdated or invalid timestamps, potentially to prevent unauthorized access or outdated data retrieval. 

Attackers injected a hard-coded array of numbers obfuscated with XOR encoding, while the key (40682) was readily available in the sample, allowing researchers to reverse the encoding and discover a newly registered domain. 

New values

The technique is common for attackers to mask malicious content while remaining detectable with knowledge of the key. 

Malicious Javascript code dynamically changes URLs in visitors’ browsers every 10 minutes, targeting visitors who haven’t visited the site through a major referrer (e.g., Google) and haven’t seen the pop-up before (checked by a cookie). 

Redirecting occurs

If conditions are met, the code injects another script to redirect users to scam sites (often VexTrio domains) by sending the current page URL, referrer, and browser language (base64 encoded) to a Traffic Distribution System (TDS). 

Downloads per day

Attackers utilize the popular Simple Custom CSS and JS plugins to achieve this, whereas the malware fetches additional scripts from domains registered shortly before the attack, making them difficult to block. 

The attackers switched hosting providers and used Cloudflare to further make it more difficult to understand their location by bypassing typical security scans as the malicious code resides in the database rather than server files. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter. 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...