Sucuri, a website security firm, has issued a warning about a new malware family called Sign1 that has infected more than 39,000 websites. The malware, found in WordPress custom HTML widgets or the Simple Custom CSS and JS WordPress plugin, redirects visitors to scam domains and displays unwanted ads. Unlike traditional malware, Sign1 stays unnoticed for longer periods as it does not place malicious code in server files. Instead, it changes URLs every 10 minutes to evade detection. It executes only for visitors from major websites like Facebook and Google to remain undetected. The malware also sets cookies to prevent repeated pop-ups for the same visitor and uses specific conditions for execution, including matching a hexadecimal-string JavaScript file. Sucuri has identified over 15 domains used in this malicious campaign, with eight of them responsible for thousands of infections each, affecting more than 2,500 sites in the last two months alone.
Read more: https://www.securityweek.com/39000-websites-infected-in-sign1-malware-campaign/