WordPress sites are being hacked and abused to display fake Cloudflare DDoS protection pages to spread malware. The malware acts as a downloader for the Raccoon Stealer password-stealing trojan and NetSupport RAT.

DDoS welcome screens

  • DDoS protection screens are common on the internet, protecting sites from bots that ping them with fake requests, and aim to overwhelm users with garbage traffic.
  • Usually, internet users treat these welcome screens as an unavoidable annoyance that keeps their online resources protected. However, this familiarity is used as an opportunity for attackers.

Spreading malware using fake alerts

According to Sucuri, attackers are hacking unprotected WordPress sites to add obfuscated JavaScript payload displaying a fake Cloudflare protection DDoS screen.
  • This screen requests that the visitor clicks on a button to bypass the DDoS protection screen. However, clicking on the button downloads an ISO file (security_install.iso) that pretends to bypass DDoS verification.
  • When a user opens the ISO file, they get another file named security_install[.]exe, which is in reality a Windows shortcut that executes a PowerShell command from the debug[.]txt file.

Use of different threats

  • The attack used scripts to show the fake DDoS code required to view the site and install the NetSupport RAT.
  • Additionally, the scripts download Raccoon Stealer and run it on the system.

Staying safe

Admins are suggested to check the theme files of WordPress sites, which is the most common infection tactic in campaigns. Consider employing file integrity monitoring systems to catch JS injections as soon as they occur. Further, enable strict script-blocking settings on the browser to safeguard the system.
Cyware Publisher