Summary:
Sucuri, a website security firm, has issued a warning about a new malware strain called Sign1, which has infected more than 39,000 websites. The malware operates by redirecting visitors to scam domains and displaying unwanted advertisements. Sign1, identified in WordPress custom HTML widgets or the Simple Custom CSS and JS plugin, evades detection by not inserting malicious code directly into server files. Instead, it injects code that changes the URL executed in the victim's browser every 10 minutes, leading to unwanted redirects to VexTrio domains. The malware uses obfuscation to conceal itself and only activates when visitors come from major websites. Additionally, it sets a cookie to prevent repeated pop-ups for the same visitor.

Sucuri found that the malware's execution depends on specific conditions, including the presence of a hexadecimal-string JavaScript file matching a 10-minute interval. When conditions are met, the malware redirects users to malicious sites, often VexTrio scam sites.

Security Officer Comments:
In the last six months, Sucuri has identified over 39,000 infected sites with various versions of Sign1, infecting more than 2,500 sites in the past two months alone. The security firm has identified 15 domains used in this malicious campaign, with eight of them involved in thousands of infections each.

Suggested Corrections:
Researchers at Sucuri recommend that using website monitoring tools should be a top priority for website owners. This website had the WordPress Activity Log plugin installed, and researchers were able to confirm that some unscrupulous activity in the admin panel was indeed the cause. The infection occurred after a huge number of failed logins originating from a large number of IP addresses, suggesting a successful brute force attack.

Link(s):
https://www.securityweek.com/39000-websites-infected-in-sign1-malware-campaign/

https://blog.sucuri.net/2024/03/sig...ampaign-history-indicators-of-compromise.html