Several WordPress websites can infect malware after threat actors display fake Cloudflare DDoS protection pages. Distributed Denial-of-Service (DDoS) protection pages are affiliated with browser checks run by CDN/WAF services, verifying whether the website visitor is a legitimate user or a bot.
DDoS protection pages are associated with browser checks performed by WAF/CDN services, verifying whether the site user is a bot or a human.
JavaScript injections are the initial vector to distribute fake DDoS protection pages.
Cybersecurity experts recently discovered that JavaScript injections targeted WordPress websites to portray fake DDoS Protection webpages that guide targets to download remote access trojan malware.
The malicious webpages request their visitors to click on a button to avoid DDoS protection and visit the website. However, if a target connects to the controller, the security_install[.]the malware will download the iso file to the visitor’s device.
Subsequently, the downloaded file will pose as a tool to disguise itself to avoid the DDoS verification feature. A malicious message will then tell the user that the verification code to access the website is within the file to deceive the user into opening the file.
Once the user accesses the file, the image file is mounted, and its content is portrayed. The mounted drive includes a file called security_install[.]exe, a Windows shortcut that operates a PowerShell command inside the debug[.]txt file in the same folder.
The infection chain will start once the security_install[.] is launched in the device while a fake DDoS code is revealed to the user. This execution will cause a chain of scripts to run the fake DDoS code needed to open the site.
Lastly, the process will lead to installing the NetSupport RAT on the targeted device. Furthermore, the scripts will compromise the victim’s computer with an information-stealing trojan called Raccoon Stealer.
This infostealer will allow its operators to gather cookies, auto-fill data, login credentials, credit card details, and cryptocurrency wallets.
Experts recommend keeping all software on the users’ website updated. Strong passwords and 2FA features on the administrative panel are also effective ways to counteract such threats.