March 22, 2024 at 08:33AM
The Sign1 malware campaign has compromised 39,000 WordPress sites in six months, using malicious JavaScript injections to redirect users to scam sites. The recent variant infected 2,500 sites in the last two months alone. The campaign employs rogue JavaScript injected into legitimate HTML widgets and plugins, with time-based randomization to fetch dynamic URLs. This campaign has been utilizing brute-force attacks and security flaws in plugins and themes to gain access to WordPress sites. The malware stays undetected for extended periods by not placing any malicious code into server files.
Key Takeaways from Meeting Notes:
– Sign1 malware campaign has impacted over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.
– The most recent variant has infected at least 2,500 sites over the past two months.
– Attackers inject rogue JavaScript into legitimate HTML widgets and plugins, exploiting vulnerabilities to add their malicious code.
– XOR-encoded JavaScript code is decoded and used to execute a JavaScript file hosted on a remote server, leading to redirects to a traffic distribution system.
– The malware employs time-based randomization to fetch dynamic URLs, changing every 10 minutes to evade blocklists.
– The malware specifically checks if visitors have come from major websites such as Google, Facebook, Yahoo, and Instagram before executing.
– The campaign has seen multiple iterations, leveraging as many as 15 different domains since July 31, 2023.
– The attackers likely gain access to WordPress sites through brute-force attacks or by exploiting security flaws in plugins and themes.
– The malware is often found inside custom HTML widgets and injected using legitimate plugins, allowing it to remain undetected for extended periods.
Let me know if you need any further details or summaries.