The Sign1 virus campaign has already infected 39,000 WordPress sites.

A large-scale malware campaign

The tracked malware named Sign1 has compromised 39,000 WordPress sites in the last six months.

Detection of the Sign1 campaign

Security researchers from Sucuri have discovered a malware campaign tracked as Sign1, which has already compromised 39,000 WordPress sites in the past six months.

Malicious JavaScript inserts

Experts have found that attackers are injecting malicious JavaScript snippets into websites, redirecting users to harmful sites. Researchers, reaching out to SiteCheck, discovered that over 2,500 sites have been compromised in this campaign over the past two months.

“Plugins that allow the insertion of arbitrary JavaScript and other code onto a website are especially useful for website owners and developers, but they can also be abused by attackers in a compromised environment. Since these types of plugins allow for the addition of virtually any code, attackers often use them to insert their malicious or spam payloads,” states the experts' report.

"As expected, the plugin settings check revealed our suspect, hidden in the admin panel CSS & JS."

Implementation of malicious JavaScript

The Sign1 threats inject malicious JavaScript into legitimate plugins and HTML widgets. The injected code includes a hardcoded array of numbers that uses XOR encoding to generate new values.

Researchers have decrypted processed JavaScript code using XOR encoding and found that it is used to execute a JavaScript file hosted on a remote server. They also noticed that the attackers use dynamically changing URLs, allowing them to change the URL every 10 minutes. The code runs in visitors' browsers, leading to unwanted redirects and advertisements for website users.

This code stands out because it checks whether the visitor came from a known website, such as Google, Facebook, Yahoo, or Instagram. If the visitor did not come from one of these popular sites, the malicious code will not execute. Attackers have used this trick to avoid detection.

Redirects to VexTrio domains

Researchers have discovered that the redirects lead to VexTrio domains. The Sign1 campaign was first identified by researcher Denis Sinegubko in the second half of 2023, and Sucuri reported that the attackers used up to 15 different domains since July 31, 2023. The name of the campaign comes from the sign1 parameter, which is used in the code to extract and decrypt the domain name of the malicious URL from a third-party organization. In October 2023, the attackers began using a different obfuscation technique and removed the sign1 parameter. It is likely that the threats actively compromised websites through successful brute-force attacks.

“This is another example of why securing the admin panel and using website monitoring tools should be a top priority for website owners,” the report concludes.