Keypoints
- Injection was stored in WordPress plugin/widget settings (Custom CSS & JS), avoiding server-file detection.
- Malicious JavaScript computes a 10‑minute aligned timestamp (Date.now → seconds → rounded → hex) and embeds it into dynamic payload URLs.
- Domain names are revealed via XOR decoding of a hard-coded integer array (key = 40682), e.g., tags.stickloader.info.
- Execution requires three conditions: allowed referrer (major sites like Google/Facebook), absence of cookie “f084”, and the correct timestamped hexadecimal JS filename.
- The script fetches tags.stickloader.info/my/pack.js with base64-encoded page/referrer/language; that script functions as a TDS and redirects to VexTrio scam pages.
- Sign1 has run multiple waves across many domains and IPs (initially 162.0.228.112, later Hetzner IPs and Cloudflare) and was detected on thousands of sites.
- Initial access commonly follows successful brute-force attempts against wp-admin; mitigation includes securing admin, file-integrity monitoring, patching plugins, and using a web firewall.
MITRE Techniques
- [T1110] Brute Force – Admin access appears to have been gained after repeated login attempts: [‘The infection occurred after a huge number of failed logins originating from a large number of IP addresses, suggesting a successful brute force attack.’]
- [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious code is injected and executed in the browser to fetch and run dynamic payloads: [‘inject the malicious code using this plugin.’]
Indicators of Compromise
- [Domain] third‑party payload and TDS – tags.stickloader.info (e.g., tags.stickloader.info/my/pack.js), js.abc-cdn.online
- [IP Address] hosting infrastructure – 162.0.228.112 (initial Namecheap host), 5.75.230.95 (Hetzner), and 2 more IPs
- [Cookie] execution gating – cookie ‘f084’ used to suppress repeated pop-ups
- [URL/File] dynamic payload filenames – mount.<hexstring>.js and my/pack.js (timestamp-aligned JS files)
- [Plugin/Component] compromise vector – Simple Custom CSS and JS plugin / WordPress custom HTML widgets (used to inject scripts into database)
The investigation began with server-side file-integrity scans and log review that showed plugin changes rather than modified server files; the malicious payload was stored inside the Custom CSS & JS plugin (custom HTML widget), enabling attackers to inject JavaScript from the database and remain hidden from typical file scans. Plugin settings contained obfuscated JavaScript with unusual variable names; reconstructing the plugin-supplied script revealed an XOR-encoded integer array and a hard-coded key (40682) used to decode the third-party domain (e.g., tags.stickloader.info).
Technically, the injected script uses Date.now() to compute the current epoch time, converts milliseconds to seconds, aligns the value to a 10‑minute window, and converts that number to a hexadecimal string which becomes part of the requested filename (mount.<hex>.js). The script verifies three runtime conditions before fetching external code: the visitor referrer matches major sites (Google, Facebook, etc.), the cookie ‘f084’ is not present, and the timestamped hex filename matches the 10‑minute interval. When satisfied, it loads tags.stickloader.info/my/pack.js with base64-encoded parameters (current URL, referrer, browser language); that remote script acts as a traffic distribution system (TDS) and redirects victims to VexTrio-linked scam pages.
The Sign1 campaign has cycled through many domains (see examples decoded from XOR or base64) and infrastructure shifts: initial domains and hosting on 162.0.228.112, later use of Hetzner IPs (5.75.230.95, 95.217.217.254, 128.140.70.175) and Cloudflare. Access is frequently gained via compromised admin credentials after brute-force activity. Technical mitigations include securing and hardening wp-admin (rate limits, MFA), monitoring admin activity, enabling file-integrity/server-side scanning for database-stored injections, promptly updating plugins, and deploying a web application firewall to block automated attacks and malicious callbacks.