Sign1 Malware Hijacked 39,000 WordPress Websites

A client’s website was experiencing random pop-ups as server side scanner logs revealed a JavaScript injection related to Sign1, which is a malware campaign that targets websites and has infected over 2,500 websites in the past two months and uses challenging techniques to evade detection.  

Daily server-side scans are crucial to detect changes like new malware, examine website logs, and identify changes in plugins, particularly those allowing custom code injection. 

Plugin changes

The plugins are attractive to attackers because they enable embedding malicious code and an investigation revealed malicious code embedded within a seemingly harmless custom CSS and JS plugin. 

While attackers abusing such plugins is common, this specific code displayed a unique and intriguing method.  

culprit nestled inside Custom CSS & JS

History Of The Sign1 Malware

Security researchers at Sucuri discovered a malware campaign targeting WordPress websites called Sign1, which injects malicious scripts into websites using custom HTML widgets or plugins. 

The malware uses base64-encoded parameters and time-based randomization to generate dynamic URLs that change every 10 minutes and fetch additional malicious scripts that can redirect visitors to scam sites or deliver unwanted ads. 

In the second part of 2023, it was also discovered to be a campaign, and researchers noticed that the malware was changing its concealment methods to avoid detection. 

Analysis Of The Malware

The code utilizes time-based randomization for verification purposes and retrieves the current Unix time (milliseconds since 1970-01-01) using Date.now(), which is then converted to seconds and aligned to a 10-minute interval, ensuring timestamps are consistent within that window. 

The value is expressed as a hexadecimal string, and a seemingly random string acts as a verification token, whereas requests for JavaScript files from a third-party domain include this token. 

use of the date.  now function near the top of the script

The server compares the token’s time component with the current time, likely rejecting requests with outdated or invalid timestamps, potentially to prevent unauthorized access or outdated data retrieval. 

Attackers injected a hard-coded array of numbers obfuscated with XOR encoding, while the key (40682) was readily available in the sample, allowing researchers to reverse the encoding and discover a newly registered domain. 

New values

The technique is common for attackers to mask malicious content while remaining detectable with knowledge of the key. 

Malicious Javascript code dynamically changes URLs in visitors’ browsers every 10 minutes, targeting visitors who haven’t visited the site through a major referrer (e.g., Google) and haven’t seen the pop-up before (checked by a cookie). 

Redirecting occurs

If conditions are met, the code injects another script to redirect users to scam sites (often VexTrio domains) by sending the current page URL, referrer, and browser language (base64 encoded) to a Traffic Distribution System (TDS). 

Downloads per day

Attackers utilize the popular Simple Custom CSS and JS plugins to achieve this, whereas the malware fetches additional scripts from domains registered shortly before the attack, making them difficult to block. 

The attackers switched hosting providers and used Cloudflare to further make it more difficult to understand their location by bypassing typical security scans as the malicious code resides in the database rather than server files. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter. 

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL injection…

2 hours ago

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which…

3 hours ago

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing two…

6 hours ago

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which…

7 hours ago

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

3 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

3 days ago