Sign1 Malware Targeted Over 2500 WordPress Sites In Recent Campaign

Heads up, WordPress admins! A new malware campaign is actively preying on WordPress websites, generating popup ads. Identified as Sign1, the malware has targeted over 2500 WordPress sites in the recent wave of attacks, exhibiting sneaky behavior to avoid detection.

Sign1 Malware Actively Targets WordPress Sites

According to a recent post from the WordPress security service Sucuri, they have caught the Sign1 malware actively infecting hundreds of websites lately.

As explained, the researchers found the malware embedded in a website plugin that otherwise allows arbitrary code injection by site owners. While such plugins help the developers, criminal hackers may also abuse them maliciously. In this campaign, the researchers detected the malware in the plugin’s custom-css-js.

Dissecting the code made the researchers find the time-based randomization (using the Date.now function), which further helps the malware to generate dynamic URLs. Besides, the malicious code also exhibits obfuscation, hence becoming more difficult to detect.

Both these techniques aided the attackers in staying under the radar. Consequently, they could compromise over thousands WordPress websites before catching Sucuri’s attention. The researchers admitted that the malware remained unnoticeable, and they could only detect its presence by running the server-side scan that looks for any file changes into the environment.

This malware’s dynamic URLs generate random popups and ads for a compromised site’s visitors. However, the malware specifically targets visitors arriving from prominent sites such as Google and Facebook and won’t execute otherwise. That’s how it remained undetected for many site admins who seldom use a search engine to reach their website. Moreover, it ensured displaying the popup only once per visitor.

Due to its stealthy techniques, the Sign1 malware has successfully compromised over 39,000 websites since its beginning. With time, the malware evolved further to enhance its malicious capabilities, with the recent variant targeting over 2500 websites during two months.

To prevent this threat, the researchers advise users to secure their sites’ admin panels and use website firewalls for protection.

Let us know your thoughts in the comments.

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients