WordPress
Sign1
Sign1 malware infects WordPress sites via custom plugins, redirects visitors to ...
The Sign1 malware campaign has wreaked havoc on over 39,000 websites in the last six months, injecting malicious scripts that lead to unwanted redirects and pop-up ads. Sucuri, a website security firm, managed to disclose this malicious campaign after a client reported mysterious popup ads on their website.
## Modus Operandi
Sign1 infiltrates websites through a combination of brute force attacks and exploiting plugin vulnerabilities on WordPress sites. Once access is gained, the attackers inject the malware using WordPress custom HTML widgets or the [Simple Custom CSS and JS plugin](https://wordpress.org/plugins/custom-css-js/).
## Locating the Source
Traditional file-system scans proved ineffective, highlighting the importance of continuous monitoring. However, the server-side scanning service detected malicious changes hidden within innocuous plugins, emphasizing the need for vigilant security measures.
## Sign1 Campaign History
The Sign1 campaign, identified by its unique base64-encoded parameter, has infected over 39,000 sites in the past six months alone. Tracking its evolution, we observed shifting tactics, from domain obfuscation to dynamic URL generation, underscoring the adaptability of cybercriminals.
## Sophisticated Techniques
The malware employs time-based randomization to generate dynamic URLs, changing every 10 minutes to avoid detection. These URLs fetch further malicious scripts to execute in visitors' browsers. Initially hosted on Namecheap, the attackers have now shifted to HETZNER for hosting and Cloudflare for IP address obfuscation.
![injection.png](https://sb-cms.s3.ap-south-1.amazonaws.com/injection_3b4a7c5dac.png)
***Simple Custom CSS and JS plugin infected with Sign1***
## Evolving Tactics
Sign1 continuously evolves, making detection challenging. It features XOR encoding and obscure variable names to evade security tools. The code selectively executes based on referrers and cookies, targeting visitors from major sites like Google, Facebook, Yahoo, and Instagram. It redirects visitors to scam sites, exploiting fake captchas to deliver unwanted advertisements.
## Persistent Threat
Despite efforts to mitigate its impact, Sign1 persists. In the past six months, Sucuri [detected](https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html) it on over 39,000 websites, with 2,500 sites falling victim to the latest wave since January 2024. The campaign's adaptability poses a significant challenge to website owners and security professionals alike.
![daily-downloads.png](https://sb-cms.s3.ap-south-1.amazonaws.com/daily_downloads_65db935503.png)
***Daily downloads***
## Mitigation Strategies
To safeguard against Sign1 and similar threats, website owners should prioritize security audits. This includes using strong, lengthy passwords for administrators, keeping plugins updated, and removing unnecessary add-ons that could serve as potential attack vectors.