By NewsBlogger A new malware campaign known as Sign1 has infected over 39,000 websites, targeting major sites like Google and Facebook, while another campaign called StrelaStealer is stealing email credentials from organizations in the U.S. and Europe through phishing attacks.
At a glance
- A new malware campaign known as Sign1 has infected over 39,000 websites in the past six months.
- Sign1 injects malware into custom HTML widgets and legitimate plugins on WordPress sites.
- The malware uses time-based randomization and dynamic URLs to evade blocks.
- StrelaStealer has impacted over a hundred organizations in the U.S. and Europe, stealing email credentials.
- Users are advised to use strong passwords, update plugins, and be cautious with unsolicited emails to protect against these malware campaigns.
The details
A new malware campaign known as Sign1 has been causing havoc by infecting over 39,000 websites in the past six months.
The threat actors behind the campaign are injecting malware into custom HTML widgets and legitimate plugins on WordPress sites.
The discovery of the campaign was made by security firm Sucuri after a client’s website displayed popup ads.
Sucuri has not disclosed how other sites were compromised but suspects that the attack involves brute force attacks and exploiting vulnerabilities in plugins.
The malware uses time-based randomization to generate dynamic URLs and domains are registered shortly before being used in attacks to evade blocks.
The malicious code features XOR encoding and random variable names, targeting visitors from major sites like Google, Facebook, Yahoo, and Instagram.
The malware redirects visitors to scam sites and attempts to trick them into enabling browser notifications.
Sucuri warns that Sign1 has evolved over the past six months, with infections spiking when a new version of the malware was released.
The latest attack wave has claimed 2,500 sites since January 2024, and the campaign has become stealthier and more resilient to blocks over time.
To protect against these campaigns, users are advised to use strong and long administrator passwords and update plugins to the latest version.
Unnecessary add-ons should also be removed to reduce the potential attack surface.
In addition to Sign1, another malware campaign called StrelaStealer has impacted over a hundred organizations in the U.S. and Europe.
StrelaStealer steals email account credentials from Outlook and Thunderbird and uses a polyglot file infection method to evade detection.
The malware was originally targeting Spanish-speaking users but now focuses on people from the U.S. and Europe.
StrelaStealer is distributed through phishing campaigns, with a significant uptick observed in November 2023.
The attacks have surpassed 500 in the U.S. on some days, with the most targeted entities being in the high tech space, followed by finance, legal services, manufacturing, government, utilities and energy, insurance, and construction.
The malware uses ZIP attachments to drop JScript files on victim’s systems and the new version employs control flow obfuscation to evade detection.
Users are advised to be cautious with unsolicited emails involving payments or invoices and to refrain from downloading attachments from unknown senders to protect against StrelaStealer.
The malware’s primary function is to steal email login information and send it to attackers’ command-and-control server.
Cybersecurity researchers have also detected a new wave of phishing attacks delivering StrelaStealer, targeting over 100 organizations in the EU and the U.S. The malware is designed to steal email login data and send it to an attacker-controlled server.
The campaigns involve two large-scale campaigns targeting various sectors, with the malware being delivered via invoice-themed emails with ZIP attachments.
Moreover, fake installers for popular applications are being used to distribute a stealer malware called Stealc, while phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT. A social engineering scam targets individuals searching for information about deceased individuals, redirecting them to adult entertainment websites or presenting false virus alerts.
The scam is currently focused on affiliate programs for antivirus software, and a new activity cluster called Fluffy Wolf is using phishing emails to deliver various threats.
The campaign highlights that even unskilled threat actors can conduct successful attacks using malware-as-a-service schemes.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Sign1 malware campaign has infected over 39,000 websites in the past six months – Threat actors inject malware into custom HTML widgets and legitimate plugins on WordPress sites – Sucuri discovered the campaign after a client’s website displayed popup ads – Sucuri has not shared how other sites were compromised – Attack likely involves brute force attacks and exploiting plugin vulnerabilities – Malware uses time-based randomization to generate dynamic URLs – Domains are registered shortly before being used in attacks to evade blocks – Malicious code features XOR encoding and random variable names – Code targets visitors from major sites like Google, Facebook, Yahoo, and Instagram – Malware redirects visitors to scam sites and tries to trick them into enabling browser notifications – Sucuri warns that Sign1 has evolved over the past six months – Infections spiked when a new version of the malware was released – Latest attack wave has claimed 2,500 sites since January 2024 – Campaign has become stealthier and more resilient to blocks over time – To protect against these campaigns, use strong/long administrator passwords and update plugins to the latest version – Unnecessary add-ons should be removed to reduce potential attack surface |
| bleepingcomputer.com |
|---|
| – StrelaStealer malware campaign impacted over a hundred organizations in the U.S. and Europe – StrelaStealer steals email account credentials from Outlook and Thunderbird – Malware uses polyglot file infection method to evade detection – Originally targeted Spanish-speaking users, now targets people from the U.S. and Europe – Distributed through phishing campaigns with significant uptick in November 2023 – Attacks surpassed 500 in the U.S. on some days – Most targeted entities are in the ‘high tech’ space, followed by finance, legal services, manufacturing, government, utilities and energy, insurance, and construction – Malware uses ZIP attachments to drop JScript files on victim’s system – New version of malware employs control flow obfuscation and removes PDB strings to evade detection – Primary function is to steal email login information and send it to attackers’ C2 server – Users advised to be cautious with unsolicited emails involving payments or invoices and refrain from downloading attachments from unknown senders |
| thehackernews.com |
|---|
| – Cybersecurity researchers have detected a new wave of phishing attacks delivering an information stealer known as StrelaStealer – |
| The campaigns have targeted over 100 organizations in the E.U. and the U.S. – StrelaStealer is designed to steal email login data and send it to an attacker-controlled server – Two large-scale campaigns involving StrelaStealer have been detected targeting various sectors – |
| The malware is delivered via invoice-themed emails with ZIP attachments – |
| The malware uses obfuscation techniques to evade detection – Fake installers for popular applications are being used to distribute a stealer malware called Stealc – Phishing campaigns have also been observed delivering Revenge RAT and Remcos RAT – A social engineering scam targets individuals searching for information about deceased individuals – |
| The scam redirects users to adult entertainment websites or presents false virus alerts – The scam is currently focused on affiliate programs for antivirus software – A new activity cluster called Fluffy Wolf is using phishing emails to deliver various threats – The campaign shows that even unskilled threat actors can conduct successful attacks using malware-as-a-service schemes. |
