Major new malware campaign hits thousands of WordPress sites
Sign1 malware redirects WordPress visitors to third-party websites
Hackers have been observed installing a brand new piece of malware on vulnerable WordPress sites.
Dubbed Sign1, the malware redirects visitors to dangerous websites, and shows them popup ads the owners never intended to show.
The discovery was made earlier this week by cybersecurity researchers Sucuri, after a client said its website was misbehaving, BleepingComputer reports.
Multiple obfuscation methods
As per Sucuri’s report, its client’s website was brute-forced, with unnamed hackers trying countless username/password combinations until they found one that worked. After that, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors either injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code to the site.
Subsequent investigation showed that more than 39,000 websites were infected with the same malware. Sucuri isn’t certain how other websites were compromised, but speculates that the attackers used a combination of brute-forcing and leveraging vulnerabilities in different plugins and themes.
Sign1 also has a couple of methods to avoid being spotted.
For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. That way, the malware ensures the domains are always fresh and not added to any blocklists.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult.
The campaign has been ongoing for roughly six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, infections spike.
The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites.
To remain secure, the researchers advise website owners to make sure their username/password combination is strong enough not to be breached with brute-force attacks. All unused or unnecessary plugins and themes should also be uninstalled, as they can allow the attackers unabated access to the premises.
More from TechRadar Pro
- This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of times
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.