Hackers have been observed installing a brand new piece of malware on vulnerable WordPress sites.
Dubbed Sign1, the malware redirects visitors to dangerous websites, and shows them popup ads the owners never intended to show.
The discovery was made earlier this week by cybersecurity researchers Sucuri, after a client said its website was misbehaving, BleepingComputer reports.
Multiple obfuscation methods
As per Sucuri’s report, its client’s website was brute-forced, with unnamed hackers trying countless username/password combinations until they found one that worked. After that, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors either injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code to the site.
Subsequent investigation showed that more than 39,000 websites were infected with the same malware. Sucuri isn’t certain how other websites were compromised, but speculates that the attackers used a combination of brute-forcing and leveraging vulnerabilities in different plugins and themes.
Sign1 also has a couple of methods to avoid being spotted.
For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. That way, the malware ensures the domains are always fresh and not added to any blocklists.
Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult.
The campaign has been ongoing for roughly six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, infections spike.
The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites.
To remain secure, the researchers advise website owners to make sure their username/password combination is strong enough not to be breached with brute-force attacks. All unused or unnecessary plugins and themes should also be uninstalled, as they can allow the attackers unabated access to the premises.