By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Articles

New Sign1 Malware Campaign Targets Thousands of WordPress Websites

March 25, 2024
A sophisticated malware, known as Sign1, has been identified as the culprit behind a series of unauthorized redirects and popup ads on numerous WordPress sites. This alarming cybersecurity breach was uncovered by the team at Sucuri.

A sophisticated malware, known as Sign1, has been identified as the culprit behind a series of unauthorized redirects and popup ads on numerous WordPress sites. This alarming cybersecurity breach was uncovered by the team at Sucuri, following a report from a client experiencing unusual website behavior, according to BleepingComputer.

Innovative Attack Strategies and Wide Impact

Unlike traditional WordPress attacks that often involve tampering with site files, the perpetrators behind Sign1 opted for a more clandestine approach. They gained initial access through brute-force attacks, tirelessly testing username and password combinations until successful. Subsequently, the malware was either directly injected into existing HTML widgets and plugins or facilitated via the installation of the Simple Custom CSS and JS plugin, allowing attackers to embed malicious JavaScript code seamlessly.

This method of attack has proven effective on a grand scale, with over 39,000 websites reported to be afflicted by the same malware. The exact method of compromise for these sites remains speculative, with Sucuri suggesting a mix of brute-force entry and exploitation of vulnerabilities within various plugins and themes as the likely tactics.

Evasive Measures and Ongoing Development

Sign1 exhibits sophisticated evasion techniques to remain under the radar. One notable method is its use of time-based randomization, which generates dynamic URLs that refresh every 10 minutes. This ensures that the malicious domains remain unlisted by blocklists. Moreover, by hosting these domains on services like HETZNER and Cloudflare, the attackers effectively mask both the hosting and IP addresses. The malware further complicates detection through XOR encoding and the use of randomly generated variable names.

The campaign, identified to have been active for approximately six months, is characterized by its continuous evolution. Sucuri's findings indicate that the malware is still in development, with new versions leading to a spike in infections. The most recent wave of attacks commenced in January 2024, compromising around 2,500 websites to date.

Preventive Measures for Website Owners

In light of these findings, cybersecurity experts stress the importance of robust security practices to mitigate the risk of compromise. Website owners are urged to employ strong username and password combinations to thwart brute-force attacks effectively. Additionally, conducting regular audits to remove or update any unnecessary or outdated plugins and themes is essential for minimizing vulnerabilities that could serve as gateways for attackers.

Peris.ai Cybersecurity remains committed to providing the latest insights and recommendations to protect against such sophisticated threats. Staying informed and proactive in cybersecurity hygiene is key to safeguarding your online presence against the evolving landscape of cyber threats.

There are only 2 type of companies:
Those that have been hacked, and
those who don't yet know they have been hacked.
Protect Your Valuable Organization's IT Assets & Infrastructure NOW
Request a Demo
See how it works and be amaze.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Interested in becoming our partner?
BECOME A PARTNER