March 21, 2024 at 12:02PM
The Sign1 malware campaign has infected over 39,000 websites, injecting malicious scripts into WordPress sites by exploiting vulnerabilities or using brute force attacks. The malware uses time-based randomization and dynamic URLs to evade detection, redirects visitors to scam sites, and has evolved to become more resilient. Website owners are advised to strengthen security measures and update plugins.
Based on the meeting notes, the key takeaways are as follows:
1. A malware campaign named Sign1 has infected over 39,000 websites in the past six months, utilizing tactics such as injecting malicious scripts into WordPress sites through custom HTML widgets and legitimate plugins like Simple Custom CSS and JS.
2. The malware employs time-based randomization to generate dynamic URLs that change every 10 minutes to evade blocks. It fetches further malicious scripts, uses XOR encoding and seemingly random variable names to elude security tools, and targets visitors from major sites like Google, Facebook, Yahoo, and Instagram.
3. Sign1 has evolved over the past six months, with the latest attack wave claiming 2,500 sites since January 2024, indicating that the campaign is becoming stealthier and more resilient to blocks.
4. To protect against these campaigns, website administrators are advised to use strong/long administrator passwords, update plugins to the latest versions, and remove unnecessary add-ons that could act as a potential attack surface.
These takeaways highlight the severity and sophistication of the Sign1 malware campaign and provide actionable steps to help mitigate the risk of infection.