Massive Sign1 Malware Campaign Targets WordPress

Over the last six months, tens of thousands of web resources have fallen victim to a large-scale campaign deploying the previously unknown malicious program Sign1. Perpetrators have been embedding this malware into WordPress sites, leading to unwelcome redirects and intrusive advertising in the form of pop-up windows. The campaign was uncovered by Sucuri, a firm specializing in web security after one of its client’s sites began exhibiting such behavior.

Upon gaining unauthorized access to a WordPress site, typically through credential cracking or exploiting vulnerabilities in plugins, the attackers insert their JavaScript code into user HTML widgets, the legitimate Simple Custom CSS and JS plugin, or other components, rather than modifying the content management system’s files directly.

Analysis revealed that Sign1 employs a time-based randomization mechanism to continuously refresh the URLs from which malicious scripts are loaded. These URLs change every 10 minutes, enabling the malware to evade blocking mechanisms.

The domains used are registered just before the attack and do not have time to be blacklisted. These URLs are then utilized to fetch additional malicious elements and execute them in the browser of the infected site.

To conceal its presence, Sign1 uses XOR encryption and random variable names, and checks cookies and referrers before launching.

Sign1 analyzes the source of traffic and activates only if the user arrives from popular resources like the Google and Yahoo search engines, or social networks such as Facebook and Instagram. In other cases, the malware remains inactive. Additionally, the program creates a cookie marker in the browser of the infected computer to ensure that pop-up windows are displayed only once for each site visitor.

Upon activation, Sign1 redirects users to fake platforms with fraudulent captchas, employing various tactics to coerce enabling browser notifications. This opens a direct channel for attackers to display unwanted advertising directly on the desktop.

In the past six months, Sucuri scanners have detected the malware’s activity on at least 39,000 sites. The latest wave of attacks, beginning in January 2024, has already affected about 2,500 resources, raising significant concerns among cybersecurity specialists.

To protect their resources from such threats, experts recommend using complex, long passwords, regularly updating installed extensions and modules to the latest versions, and eliminating unnecessary software that could serve as a convenient entry point for attackers.