A new threat campaign has been discovered by cybersecurity researchers at Sucuri, in which attackers are using fake Cloudflare DDoS protection popups to distribute malware.
The victim unknowingly downloads a remote access trojan (RAT), which has been flagged by at least thirteen security vendors so far.
How does the Attack Take Place?
Then the visitor is asked to open this file, which pretends to be a DDOS GUARD application. There’s a code provided that the victim must enter, and another file appears (security_install.exe). This file is a Windows shortcut that runs a PowerShell command from the Debug.txt file. Several other scripts are run, and the fake DDoS code is displayed.
However, in the background, the NetSupport RAT is installed. This RAT is commonly and extensively used in malware campaigns nowadays. The malicious scripts also download the Raccoon Stealer 2.0- a password-stealing trojan.
This malware steals cookies, passwords, credit card info, auto-fill data, and a wide range of cryptocurrency wallets. It can also perform file exfiltration and captures screenshots of the victim’s display screen. Regarding the possible threats/dangers of this campaign, here’s what the researchers wrote in their report:
“The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious ‘slave’ network, extort the computer owner, and violate their privacy – all depending on what the attackers decide to do with the compromised device.”
What are DDoS Protection Pages?
You may often come across DDoS Protection pages while browsing the web. These pages are linked with WAF/CDN services that perform browser performance checks and verify if the site visitor is a human, bot, or part of a DDoS attack.
How to Stay Protected?
Site admins must always check their WordPress sites’ theme files because this is the most widely exploited feature in this campaign and regularly update the software, use 2FA and strong passwords, and deploy a firewall.
On the other hand, users should enable strict script blocking settings on the browser and keep in mind that they don’t need to download ISO files as anti-DDoS procedures.
- Google Fended Off Largest Ever Layer 7 DDoS Attack
- DDoS booter customers received warning letters from Dutch police
- DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists
- Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks
- Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai