A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.
The latest variant of the malware is estimated to have infected no fewer than 2,500 sites in the past two months alone, Sucuri said in a report published this week.
The attacks involve injecting unauthorized JavaScript into legitimate HTML widgets and plugins that allow the injection of arbitrary JavaScript and other code, giving attackers the opportunity to add their own malicious code.
The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a traffic distribution system (TDS) operated by VexTrio, but only if certain criteria are met.
Additionally, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to bypass blocklists. These domains are registered a few days before their use in attacks.
“One of the most noteworthy things about this code is that it specifically looks to see if the visitor is coming from major websites like Google, Facebook, Yahoo, Instagram etc.,” said security researcher Ben Martin. “If the referrer does not match these top sites, the malware will not run.”
Site visitors are then redirected to other scam sites by running another JavaScript from the same server.
The Sign1 campaign, first detected in the second half of 2023, has seen several iterations, with attackers exploiting up to 15 different domains as of July 31, 2023.
WordPress sites are suspected to have been targeted via a brute force attack, although attackers could also exploit security flaws in plugins and themes to gain access.
“Many of the injections are located within custom WordPress HTML widgets that attackers add to compromised websites,” Martin said. “Most often, attackers install a legitimate Simple Custom CSS and JS plugin and inject malicious code using this plugin.”
This approach of not inserting any malicious code into server files allows the malware to go undetected for long periods of time, Sucuri said.