Friday, October 4, 2024
HomeCyber Security NewsSign1 Malware Hijacked 39,000 Wordpress Websites

Sign1 Malware Hijacked 39,000 WordPress Websites

Published on

A client’s website was experiencing random pop-ups as server side scanner logs revealed a JavaScript injection related to Sign1, which is a malware campaign that targets websites and has infected over 2,500 websites in the past two months and uses challenging techniques to evade detection.  

Daily server-side scans are crucial to detect changes like new malware, examine website logs, and identify changes in plugins, particularly those allowing custom code injection. 

Plugin changes

The plugins are attractive to attackers because they enable embedding malicious code and an investigation revealed malicious code embedded within a seemingly harmless custom CSS and JS plugin. 

- Advertisement - EHA

While attackers abusing such plugins is common, this specific code displayed a unique and intriguing method.  

culprit nestled inside Custom CSS & JS

History Of The Sign1 Malware

Security researchers at Sucuri discovered a malware campaign targeting WordPress websites called Sign1, which injects malicious scripts into websites using custom HTML widgets or plugins. 

The malware uses base64-encoded parameters and time-based randomization to generate dynamic URLs that change every 10 minutes and fetch additional malicious scripts that can redirect visitors to scam sites or deliver unwanted ads. 

In the second part of 2023, it was also discovered to be a campaign, and researchers noticed that the malware was changing its concealment methods to avoid detection. 

Analysis Of The Malware

The code utilizes time-based randomization for verification purposes and retrieves the current Unix time (milliseconds since 1970-01-01) using Date.now(), which is then converted to seconds and aligned to a 10-minute interval, ensuring timestamps are consistent within that window. 

The value is expressed as a hexadecimal string, and a seemingly random string acts as a verification token, whereas requests for JavaScript files from a third-party domain include this token. 

use of the date.  now function near the top of the script

The server compares the token’s time component with the current time, likely rejecting requests with outdated or invalid timestamps, potentially to prevent unauthorized access or outdated data retrieval. 

Attackers injected a hard-coded array of numbers obfuscated with XOR encoding, while the key (40682) was readily available in the sample, allowing researchers to reverse the encoding and discover a newly registered domain. 

New values

The technique is common for attackers to mask malicious content while remaining detectable with knowledge of the key. 

Malicious Javascript code dynamically changes URLs in visitors’ browsers every 10 minutes, targeting visitors who haven’t visited the site through a major referrer (e.g., Google) and haven’t seen the pop-up before (checked by a cookie). 

Redirecting occurs

If conditions are met, the code injects another script to redirect users to scam sites (often VexTrio domains) by sending the current page URL, referrer, and browser language (base64 encoded) to a Traffic Distribution System (TDS). 

Downloads per day

Attackers utilize the popular Simple Custom CSS and JS plugins to achieve this, whereas the malware fetches additional scripts from domains registered shortly before the attack, making them difficult to block. 

The attackers switched hosting providers and used Cloudflare to further make it more difficult to understand their location by bypassing typical security scans as the malicious code resides in the database rather than server files. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter. 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...