Ongoing Malware Campaign Targeting WordPress Websites

Published on 27 Mar 2024

There are reports of an ongoing malware campaign, Sign1, targeting WordPress sites. The campaign entails attackers gaining access to WordPress websites through brute force attacks and exploiting vulnerabilities in their plugins. Subsequently, upon gaining access, the attackers will embed malicious scripts into their custom HTML widgets and legitimate plugins.

The embedded malware will verify if the visitor is from reputable websites, such as Google, Facebook, and Instagram, to evade detection. If visitors are identified to be from these reputable sources, the malware will proceed to generate malicious advertisements or redirect visitors to malicious websites. The intention of this approach is to avoid detection by website owners, as typically, they will navigate directly to their websites instead of through these sources.

Users and administrators are encouraged to access their WordPress sites through reputable sources to check for any unexpected redirects or advertisements. If there are any malicious redirections or advertisements, users and administrators are advised to perform the following actions:

• Search and remove any backdoors within the webroot and upload directories

• Search and remove any backdoor injectors in theme files

• Check for any edited index.php files and other core WordPress files. Scan for appended obfuscated JavaScript within the files and remove any malicious injections

• Remove any unauthorised administrators or users that may have been created by the attacker

Administrators may also wish to consider tracking and blocking the following malicious domains associated with Sign1 campaign:

• js.abc-cdn[.]online

• spf.js-min[.]site

• cdn.jsdevlvr[.]info

• cdn.wt-api[.]top

• load.365analytics[.]xyz

• stat.counter247[.]live

• js.opttracker[.]online

• l.js-assets[.]cloud

• api.localadswidget[.]com

• page.24supportkit[.]com

• streaming.jsonmediapacks[.]com

• js.schema-forms[.]org

• stylesheet.webstaticcdn[.]com

• assets.watchasync[.]com

• tags.stickloader[.]info

Users and administrators of WordPress are advised to stay vigilant and adopt the following measures to defend themselves against these attacks:

• Use strong passwords/passphrases

• Enable Multi-Factor Authentication (MFA)

• Enforce IP access restrictions to permit login only from authorised IP addresses

• Implement CAPTCHA to mitigate the risk of automated bots from successfully gaining access to WordPress sites

• Limit login attempts to minimise the impact of brute force attacks

• Update WordPress's software, plugins, and themes to the latest versions

More information is available here:

https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html

https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campaign-infects-39-000-wordpress-sites/

https://securityaffairs.com/160942/hacking/sign1-malware-campaign.html?utm_source=tldrinfosec