Friday, May 24, 2024

Sign1 Malware Hijacked 39,000 WordPress Websites

A client’s website was experiencing random pop-ups as server side scanner logs revealed a JavaScript injection related to Sign1, which is a malware campaign that targets websites and has infected over 2,500 websites in the past two months and uses challenging techniques to evade detection.  

Daily server-side scans are crucial to detect changes like new malware, examine website logs, and identify changes in plugins, particularly those allowing custom code injection. 

Plugin changes

The plugins are attractive to attackers because they enable embedding malicious code and an investigation revealed malicious code embedded within a seemingly harmless custom CSS and JS plugin. 

While attackers abusing such plugins is common, this specific code displayed a unique and intriguing method.  

culprit nestled inside Custom CSS & JS

History Of The Sign1 Malware

Security researchers at Sucuri discovered a malware campaign targeting WordPress websites called Sign1, which injects malicious scripts into websites using custom HTML widgets or plugins. 

The malware uses base64-encoded parameters and time-based randomization to generate dynamic URLs that change every 10 minutes and fetch additional malicious scripts that can redirect visitors to scam sites or deliver unwanted ads. 

In the second part of 2023, it was also discovered to be a campaign, and researchers noticed that the malware was changing its concealment methods to avoid detection. 

Analysis Of The Malware

The code utilizes time-based randomization for verification purposes and retrieves the current Unix time (milliseconds since 1970-01-01) using, which is then converted to seconds and aligned to a 10-minute interval, ensuring timestamps are consistent within that window. 

The value is expressed as a hexadecimal string, and a seemingly random string acts as a verification token, whereas requests for JavaScript files from a third-party domain include this token. 

use of the date.  now function near the top of the script

The server compares the token’s time component with the current time, likely rejecting requests with outdated or invalid timestamps, potentially to prevent unauthorized access or outdated data retrieval. 

Attackers injected a hard-coded array of numbers obfuscated with XOR encoding, while the key (40682) was readily available in the sample, allowing researchers to reverse the encoding and discover a newly registered domain. 

New values

The technique is common for attackers to mask malicious content while remaining detectable with knowledge of the key. 

Malicious Javascript code dynamically changes URLs in visitors’ browsers every 10 minutes, targeting visitors who haven’t visited the site through a major referrer (e.g., Google) and haven’t seen the pop-up before (checked by a cookie). 

Redirecting occurs

If conditions are met, the code injects another script to redirect users to scam sites (often VexTrio domains) by sending the current page URL, referrer, and browser language (base64 encoded) to a Traffic Distribution System (TDS). 

Downloads per day

Attackers utilize the popular Simple Custom CSS and JS plugins to achieve this, whereas the malware fetches additional scripts from domains registered shortly before the attack, making them difficult to block. 

The attackers switched hosting providers and used Cloudflare to further make it more difficult to understand their location by bypassing typical security scans as the malicious code resides in the database rather than server files. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter. 


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles