Significant Malware Campaign Targets WordPress Sites
A recent and extensive malware campaign known as Sign1 has compromised over 39,000 WordPress sites over the past six months. The malware employs malicious JavaScript injections, maneuvering to redirect users to fraudulent websites. Notably, within the last two months, this campaign has infected an estimated 2,500 additional sites, according to a report from security firm Sucuri.
The modus operandi of the Sign1 malware involves injecting rogue JavaScript into legitimate HTML widgets and plugins. These vulnerabilities allow attackers to insert arbitrary code, thus facilitating the inclusion of malicious scripts. It is essential to recognize that the XOR-encoded JavaScript used in this campaign is decoded and subsequently executes a remote JavaScript file. This remote file operates a traffic distribution system (TDS) linked to VexTrio, though redirection only occurs under certain conditions.
Moreover, the malware cleverly employs time-based randomization, fetching dynamic URLs that refresh every ten minutes in an attempt to evade existing blocklists. These domains are typically registered just days prior to their deployment in an attack, revealing a tactical approach designed to sustain the campaign’s momentum and effectiveness.
Security researcher Ben Martin has highlighted a critical functionality within the code, stating that it actively checks the referrer of incoming traffic. If users do not arrive from major sites such as Google or Facebook, the malware refrains from executing. This selective targeting helps the attackers focus their efforts on more lucrative traffic that can potentially yield higher returns from redirected users.
The Sign1 campaign was first identified in the latter half of 2023, and since July 31, it has evolved through numerous iterations, utilizing up to 15 different domains to carry out its assaults. Initial indications suggest that the compromised WordPress sites may have fallen victim to brute-force attacks, though attackers might have also exploited security vulnerabilities inherent in various plugins or themes.
According to Martin, many of the infected sites receive their malicious code through newly installed legitimate plugins, such as the Simple Custom CSS and JS plugin. This strategy minimizes the risk of detection, as the malware does not reside within server files, allowing for prolonged undetected operations.
In this context, the tactics and techniques mapped out in the MITRE ATT&CK framework apply significantly. Notably, initial access tactics such as credential dumping or exploitation of valid accounts may have been leveraged through brute force or plugin vulnerabilities. The persistence tactics utilized here, including the installation of unauthorized plugins, have been pivotal in maintaining control over compromised sites. Furthermore, privilege escalation techniques could have been employed to gain higher access privileges on the WordPress installations.
The scope and sophistication of the Sign1 campaign serve as a stark reminder for business owners regarding the persistent threats lurking within the cybersecurity landscape. As organizations rely increasingly on platforms like WordPress, understanding the techniques used in such attacks, as outlined by the MITRE ATT&CK framework, becomes crucial for fortifying defenses against similar vulnerabilities in the future.
For further updates and insights into cybersecurity threats, business owners are encouraged to follow authoritative sources, including Google News, Twitter, and LinkedIn, which provide ongoing coverage and analysis of emerging incidents in the cybersecurity domain.
