Hackers are using WordPress websites to show fake Cloudflare DDoS protection pages that spread malware like NetSupport RAT and Raccoon Stealer.
According to a report last week by Sucuri’s Ben Martin, a recent spike in JavaScript injections that target WordPress sites has led to phony DDoS prevent prompts that direct victims to download remote access trojan malware.
DDoS prevention pages are crucial browser verification checks created to stop bot-driven malicious and unwanted traffic from consuming bandwidth and bringing down websites.
The latest attack method involves taking over WordPress websites to show phony DDoS protection pop-ups that, when clicked, download a malicious ISO file (called “security install.iso”) to the systems of the victims.
This is achieved by injecting three lines of code into a JavaScript file (“jquery.min.js”), or alternatively into the active theme file of the website, which, in turn, loads heavily obfuscated JavaScript from a remote server.
“This JavaScript then communicates with a second malicious domain which loads more JavaScript that initiates the download prompt for the malicious .iso file,” Martin explained.
Following the download, users are prompted to enter a verification code generated from the so-called “DDoS Guard” application so as to entice the victim into opening the weaponized installer file and access the destination website.
In order to maintain the ruse, the installer does display a verification code, but in reality, the file is a remote access trojan called NetSupport RAT, which is connected to the FakeUpdates (aka SocGholish) malware family and also secretly installs Raccoon Stealer, a credential-stealing trojan that is for rent on darknet forums.
The change is evidence that threat actors are opportunistically adopting these well-known protection measures for their own operations in an effort to deceive unwary website users into downloading malware.
Website owners must protect their sites with a firewall, use file integrity checks, and implement two-factor authentication in order to reduce these risks (2FA). Additionally, website visitors are advised to enable 2FA, refrain from accessing suspicious files, and utilize script blockers in web browsers to stop JavaScript from running.
Depending on what the attackers decide to do with the compromised device, “the infected computer could be used to steal social media or banking credentials, detonate ransomware, or even entrap the victim into a pernicious “slave” network, extort the computer owner, and violate their privacy,” Martin said.
It’s not the first time the NetSupport RAT has been distributed using ISO-themed files and CAPTCHA tests.
eSentire revealed an attack chain in April 2022 that used a phony Chrome installation to spread the trojan, which subsequently made way for Mars Stealer to be used. Similarly, Cofense and Walmart Global Tech described an IRS-themed phishing effort that used false CAPTCHA puzzles on websites to spread the same virus.