Major new malware campaign hits thousands of WordPress sites

Sead Fadilpašić

March 22, 2024 at 9:39 AM·2 min read

A white padlock on a dark digital background.

Hackers have been observed installing a brand new piece of malware on vulnerable WordPress sites.

Dubbed Sign1, the malware redirects visitors to dangerous websites, and shows them popup ads the owners never intended to show.

The discovery was made earlier this week by cybersecurity researchers Sucuri, after a client said its website was misbehaving, BleepingComputer reports.

Multiple obfuscation methods

As per Sucuri’s report, its client’s website was brute-forced, with unnamed hackers trying countless username/password combinations until they found one that worked. After that, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors either injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code to the site.

Subsequent investigation showed that more than 39,000 websites were infected with the same malware. Sucuri isn’t certain how other websites were compromised, but speculates that the attackers used a combination of brute-forcing and leveraging vulnerabilities in different plugins and themes.

Sign1 also has a couple of methods to avoid being spotted.

For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. That way, the malware ensures the domains are always fresh and not added to any blocklists.

Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult.

The campaign has been ongoing for roughly six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, infections spike.

The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites.

To remain secure, the researchers advise website owners to make sure their username/password combination is strong enough not to be breached with brute-force attacks. All unused or unnecessary plugins and themes should also be uninstalled, as they can allow the attackers unabated access to the premises.

More from TechRadar Pro

This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of times
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Yahoo TV
'The Simpsons' has been on the air for 34 years. Why a character's shocking death is rare for the series.
He was only the ninth recurring character to ever be killed off in the show's 34-year history.
7h ago
Yahoo Life
'Vampire facials' likely infected 3 women with HIV. Here's what health experts want you to know about these beauty treatments — and how to stay safe.
Vampire facials themselves may not be dangerous, but unsafe practices at unlicensed spas can lead to infections, experts say.
7h ago
Engadget
Apple has reportedly resumed talks with OpenAI to build a chatbot for the iPhone
Apple has resumed talks with OpenAI, the maker of ChatGPT, to build an AI-powered chatbot into the iPhone, according to a new report.
8h ago
Yahoo Life Shopping
Target has outdoor furniture on sale from $130 — I shop for home products 24/7, and these are my picks
'Deck' out your space with everything from chic rattan chairs to sleek patio bars — and save up to $200.
11h ago
TechCrunch
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
When Asheem Chandna drove up to Rubrik's office in Palo Alto on a Friday night in early 2015, he was looking forward to learning what the young company that had yet to build its product would show him. The Greylock partner wasn't disappointed. The company's CEO, Bipul Sinha, drew Rubrik's plan to revamp the data management and recovery market on a whiteboard.
9h ago
Yahoo Life Shopping
Pickleballers, rejoice: Prince's new Target collab has everything you need to stand out on the court
Step up your style game with these retro-inspired pullovers, hoodies, belt bags and more.
10h ago
Yahoo Sports
NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare
Tyrese Haliburton hit a floater with 1.1 seconds left in overtime to give the Indiana Pacers a 121–118 win over the Milwaukee Bucks. The Pacers lead their first-round playoff series two games to one.
10h ago
Yahoo News
Trump trial updates: Focus shifts to $130,000 payment made to Stormy Daniels
Former National Enquirer publisher David Pecker concluded his testimony about a deal to kill negative stories about former President Trump during the 2016 campaign, and two more witnesses were called.
11h ago
Yahoo Life Shopping
This iconic, universally flattering Clinique lipstick sells out fast — grab it while it's a rare 20% off
It's been a staple since the 1980s thanks to its moisturizing formula and chameleon-like hue.
10h ago
Yahoo Life Shopping
The 30 best Walmart deals to shop this week — save up to 80% on Mother's Day gifts, gardening supplies and more
Some major deals on board: a Dyson stick vac for just $300, an HP laptop for $240 off and a powerful tower fan at a nearly 40%-plus markdown.
11h ago
TechCrunch
Photo-sharing community EyeEm will license users' photos to train AI if they don't delete them
EyeEm, the Berlin-based photo-sharing community that exited last year to Spanish company Freepik after going bankrupt, is now licensing its users' photos to train AI models. Earlier this month, the company informed users via email that it was adding a new clause to its Terms & Conditions that would grant it the rights to upload users' content to "train, develop, and improve software, algorithms, and machine-learning models." Users were given 30 days to opt out by removing all their content from EyeEm's platform.
11h ago
Autoblog
Chevrolet Equinox Plus is a PHEV for China, maybe America
The 2025 Chevrolet Equinox Plus, a plug-in hybrid SUV, recently debuted at the Beijing Auto Show, promising a long driving range and familiar styling.
11h ago
Yahoo Sports
NFL to allow players to wear protective Guardian Caps in games beginning with 2024 season
The NFL will allow players to wear protective Guardian Caps during games beginning with the 2024 season. The caps were previously mandated for practices.
13h ago
Yahoo Sports
The best things we saw this week: Tyler Duffey returns to the mound for Kansas City
The Royals' reliever was diagnosed with melanoma during spring training.
12h ago
Autoblog
Buick Electra-L, Electra-LT concepts lead the Wildcat to production
Buick debuts the Electra-L sedan and Electra-LT wagon concepts at the Beijing Motor Show. Both all-electric, the sedan's expected to launch in 2025.
14h ago
Yahoo Sports
Panthers owner David Tepper stopped by Charlotte bar that criticized his draft strategy
“Please Let The Coach & GM Pick This Year" read a sign out front.
15h ago
Engadget
Aaron Sorkin is working on a Jan. 6-focused follow-up to The Social Network
Aaron Sorkin has announced that he’s currently writing a followup script to The Social Network. The original was his take on the initial years of Facebook.
13h ago
Yahoo Sports
Jackson Holliday sent back to Triple-A after struggling in first 10 games with Orioles
Holliday batted .059 in 34 at-bats after being called up April 10.
14h ago
Yahoo News 360
Should colleges crack down on pro-Palestinian protests?
Universities across the country are taking varying approaches to encampments that have taken root on their campuses, with some allowing them to remain and others calling in police to break them up.
13h ago
Engadget
Nikon’s Z8 is a phenomenal mirrorless camera for the price
Nikon's Z8 is one of the highest resolution full-frame cameras with 45 megapixels, but is also one of the fastest and has incredible video capabilities too.
14h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Major new malware campaign hits thousands of WordPress sites

Multiple obfuscation methods

More from TechRadar Pro

Recommended Stories

'The Simpsons' has been on the air for 34 years. Why a character's shocking death is rare for the series.

'Vampire facials' likely infected 3 women with HIV. Here's what health experts want you to know about these beauty treatments — and how to stay safe.

Apple has reportedly resumed talks with OpenAI to build a chatbot for the iPhone

Target has outdoor furniture on sale from $130 — I shop for home products 24/7, and these are my picks

How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna

Pickleballers, rejoice: Prince's new Target collab has everything you need to stand out on the court

NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare

Trump trial updates: Focus shifts to $130,000 payment made to Stormy Daniels

This iconic, universally flattering Clinique lipstick sells out fast — grab it while it's a rare 20% off

The 30 best Walmart deals to shop this week — save up to 80% on Mother's Day gifts, gardening supplies and more

Photo-sharing community EyeEm will license users' photos to train AI if they don't delete them

Chevrolet Equinox Plus is a PHEV for China, maybe America

NFL to allow players to wear protective Guardian Caps in games beginning with 2024 season

The best things we saw this week: Tyler Duffey returns to the mound for Kansas City

Buick Electra-L, Electra-LT concepts lead the Wildcat to production

Panthers owner David Tepper stopped by Charlotte bar that criticized his draft strategy

Aaron Sorkin is working on a Jan. 6-focused follow-up to The Social Network

Jackson Holliday sent back to Triple-A after struggling in first 10 games with Orioles

Should colleges crack down on pro-Palestinian protests?

Nikon’s Z8 is a phenomenal mirrorless camera for the price