Sign1 Malware Campaign: Dodgy Redirects and Sneaky Tactics

What is the sign1 malware campaign and how does it work ?

The Sign1 malware campaign is a sophisticated cyber threat that has compromised over 39,000 WordPress sites in the last six months by utilizing malicious JavaScript injections to redirect users to scam sites. This malware variant employs XOR-encoded JavaScript code that, once decoded, executes a JavaScript file hosted on a remote server. This file triggers redirects to a traffic distribution system operated by VexTrio under specific conditions. The malware employs time-based randomization to fetch dynamic URLs that change every 10 minutes to evade blocklists, with domains registered shortly before use in attacks. Notably, the malware selectively executes based on the visitor’s referral source, checking if they arrived from major websites like Google, Facebook, Yahoo, or Instagram. If the referrer does not match these criteria, the malicious code remains dormant. Upon activation, visitors are redirected to scam sites through additional JavaScript executions from the same server. The malware campaign has evolved over time, utilizing multiple domains and infiltrating WordPress sites through techniques like brute-force attacks or exploiting vulnerabilities in plugins and themes.

What is Sign1 Malware?

Have you ever visited a website that suddenly bombarded you with ads or redirected you to an unfamiliar page? If so, you might have encountered the Sign1 malware campaign. This malicious scheme has been infecting websites, particularly WordPress sites, to disrupt user experience and potentially expose them to scams. Sign1 is a JavaScript-based malware that injects malicious code into vulnerable websites. This code can cause a variety of issues, including:

• Redirects: Sign1 can redirect visitors to scam websites designed to steal personal information or promote unwanted products.
• Pop-up Ads: The malware can bombard visitors with intrusive pop-up ads, making it difficult to navigate the intended website.

How Does Sign1 Work?

The attackers behind Sign1 are particularly sneaky. Here’s how they infect websites:

• Targeting WordPress: Sign1 primarily targets websites built with WordPress, a popular content management system.
• Widget Hijacking: Instead of directly modifying core files, Sign1 injects malicious scripts into custom HTML widgets or plugins, making it harder to detect.
• Deceptive Plugins: Sometimes, attackers install a legitimate plugin like “Simple Custom CSS and JS” and inject the malware code within it.
• Evasive Tactics: Sign1 employs various evasion techniques to stay under the radar. The malicious code uses:
  • Obfuscation: The code is disguised to make it appear harmless.
  • Dynamic URLs: The malware fetches instructions from frequently changing URLs, making it difficult to block.
  • Selective Targeting: The redirects might only occur for visitors coming from specific websites like Facebook or Google, further reducing suspicion.

Protecting Yourself from Sign1

If you’re a website owner, here are some steps to take:

• Keep WordPress Updated: Regularly update WordPress core, themes, and plugins to patch vulnerabilities.
• Strong Passwords: Use strong and unique passwords for your website and hosting accounts.
• Security Plugins: Consider installing reputable security plugins that scan for malware.
• Regular Backups: Maintain regular backups of your website to facilitate recovery in case of infection.

By staying vigilant and implementing these security measures, you can help protect your website and visitors from the Sign1 malware campaign and similar threats.

Remember, if you encounter suspicious redirects or pop-up ads while browsing, it’s best to navigate away from the website and report the incident to the website owner.