WordPress Sign1 Malware Infects Over 39K Sites In 6 Months
Recent media reports have revealed a malicious malware campaign that has been active for the past six months. Reports claim that the WordPress Sign1 malware has infected and compromised over 39,000 sites. As of now, it is believed that the malware campaign uses malicious JavaScript injections to redirect users to scam sites.
In this article, we’ll go over how the WordPress Sign1 malware was discovered, the sequence threat actors use to initiate the attacks, and more. Let’s begin!
WordPress Sign1 Malware: Initial Discovery
The Sucuri website security and protection platform’s researchers were the first to find the most recent WordPress Sign1 malware. Sucuri helps protect websites from online threats. Sucuri cybersecurity researchers discovered the WordPress Sign1 malware when an unusual pop-up ad appeared on one of their client’s websites.
Researchers have stated that their client’s website was breached using a brute force attack. In their reports, it’s mentioned that the WordPress Sign1 malware has infected and compromised over 39,000 websites. It’s worth mentioning here that the cybersecurity firm has not shared details of the sites that were breached.
Attack Sequence WordPress Sign1 Malware Campaign
Before we get into the details of how the WordPress malware Sign1 campaign attacks are carried out, know that the latest wave of attacks has impacted more than 2,500 online resources. Threat actors started the phase in January 2024.
Given the number of online resources it has impacted since then, learning the attack sequence is paramount. Doing so can help organizations develop feasible cybersecurity strategies, leading to an improved security posture.
Gaining Access
As far as hackers gaining access is concerned, a brute force attack was used to breach a website belonging to one of Sucuri’s clients. Details of other attacks have not been disclosed as of now.
However, it’s worth mentioning that other recent attacks on WordPress sites unrelated to the WordPress malware Sign1 campaign mainly used two tactics to gain access. These tactics include brute force attacks and exploiting plug-in vulnerabilities.
Such tactics proved successful in gaining unauthorized access, which could be used to carry out malicious intentions. Given this, similar tactics may have been deployed in the WordPress Sign1 malware attacks.
Carrying Out The Attack
Once threat actors have gained access, they are believed to use two methods of initiating the attack injecting malicious JavaScript code. To inject the code, the hackers either install a custom HTML widget or a Simpler Custom CSS and JS plugin. In addition, researchers have also found that WordPress Sign1 malware is capable of evading blocks.
It does that by using time-based randomizations, which generate new URLs based on 10-minute intervals. These domains were registered shortly before being used in the attack and are, therefore, not on any blocklists. As per the reports, the purpose of these URLs is to acquire more malicious code that can run on the visitor’s browser.
The WordPress Sign1 malware is also capable of evading detection, making it a notable threat that can only be countered with robust strategies. The malicious script features XOR encoding alongside random variable names, allowing it to mask its identity and prevalence. The malicious code is used to target visitors coming from major platforms.
Some common examples of such platforms include Facebook, Instagram, Google, Yahoo, and others. In addition, the malware creates a cookie on the browser to make sure that the malicious pop-up is displayed only once per visitor. Such an attack tactic makes it less likely for reports to be generated for the website’s owner.
The script then redirects visitors to scam sites, where they are tricked into enabling browser notifications. Once enabled, these notifications continue to deliver malicious and unwanted advertisements to the targeted users and devices.
WordPress Security Best Practices Against Sign1
As far as protection and mitigation measures go, it’s worth mentioning that both Sucuri researchers have warned that the malware has continued to evolve over the past 6 months. Reports have additionally claimed that infections pertaining to the WordPress Sign1 malware spike with each new version.
With each version update, the malware becomes more resilient and displays increased stealth abilities. Given the number of sites it has infected to date, such evolution is increasingly becoming a worrying development, and safeguarding against the WordPress Sign1 malware is essential.
When it comes to protecting WordPress sites from Sign1 attacks, users are recommended to use long and strong passwords. Updated plug-ins to the latest versions and removing unnecessary add-ons are also encouraged, as they can reduce the attack surface and lower the chances of a breach.
Conclusion
The WordPress Sign1 malware, known to be active for 6 months, has infected and compromised over 39,000 websites. It’s worth mentioning here that 2,500 of these have been compromised since January 2024. As a part of the attacks, threat actors leverage malicious code, which redirects users to scam sites.
Given the severity of the attacks and the malware’s worrying evolution, using proactive cybersecurity measures is essential as it can help improve security posture and reduce attack exposure.
The sources for this piece include articles in The Hacker News and BleepingComputer.


