Sign1 Malware Attacks WordPress Plugins

A significant malware operation, identified as Sign1, has managed to infiltrate 39,000 WordPress websites within the past six months, as observed by security analysts at Sucuri. The campaign involves the implantation of malicious JavaScript injections into compromised websites, redirecting visitors to harmful destinations. Researchers, using SiteCheck, found that over 2,500 sites were infected in the last two months alone.

Sign1 Attacks WordPress Through Code Insertion Plugins

According to the experts' report, plugins allowing arbitrary code insertion are convenient for website owners and developers, but they can also be exploited by attackers in compromised environments. The malicious actors behind Sign1 exploit such plugins, particularly those permitting Custom CSS & JS, to insert their harmful payload.

They embed malicious JavaScript into legitimate plugins and HTML widgets, encoding it using XOR techniques to execute remote JavaScript files. The URLs dynamically change every 10 minutes, complicating detection efforts. Notably, the malicious code refrains from executing if the visitor originates from major websites like Google or Facebook, a tactic employed to evade detection.

The redirects orchestrated by Sign1 predominantly lead to VexTrio domains. Initially identified by researcher Denis Sinegubko in the latter half of 2023, the campaign has utilized up to 15 different domains since July 31, 2023.

The campaign's name, Sign1, originates from a parameter within the code used to extract and decode malicious URLs. In October 2023, attackers modified their obfuscation tactics, eliminating the sign1 parameter, possibly indicating successful brute-force attacks on targeted websites.