Attackers using fake Cloudflare DDoS protection popups to distribute malware

Attackers using fake Cloudflare DDoS protection popups to distribute malware

The malware dropped in this attack is the NetSupport RAT which was previously identified in malicious MS Word documents.

A new threat campaign has been discovered by cybersecurity researchers at Sucuri, in which attackers are using fake Cloudflare DDoS protection popups to distribute malware.

According to Sucuri’s findings, the attack starts with malicious JavaScript that targets WordPress sites. Users are tricked into downloading malware that leads to the hijacking of their devices.

The victim unknowingly downloads a remote access trojan (RAT), which has been flagged by at least thirteen security vendors so far.

How does the Attack Take Place?

Researchers noted that attackers hack poorly protected WordPress websites and add an obfuscated JavaScript payload. This payload displays a fake DDoS protection page. The visitor is requested to click on a button to bypass the DDoS protection screen, but when clicked, it downloads a file to the computer (‘security_install.iso).

Then the visitor is asked to open this file, which pretends to be a DDOS GUARD application. There’s a code provided that the victim must enter, and another file appears (security_install.exe). This file is a Windows shortcut that runs a PowerShell command from the Debug.txt file. Several other scripts are run, and the fake DDoS code is displayed.

However, in the background, the NetSupport RAT is installed. This RAT is commonly and extensively used in malware campaigns nowadays. The malicious scripts also download the Raccoon Stealer 2.0- a password-stealing trojan.

Attackers using fake Cloudflare DDoS protection popups to distribute malware
Fake Cloudflare page dropping malware

This malware steals cookies, passwords, credit card info, auto-fill data, and a wide range of cryptocurrency wallets. It can also perform file exfiltration and captures screenshots of the victim’s display screen. Regarding the possible threats/dangers of this campaign, here’s what the researchers wrote in their report:

“The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious ‘slave’ network, extort the computer owner, and violate their privacy – all depending on what the attackers decide to do with the compromised device.”

What are DDoS Protection Pages?

You may often come across DDoS Protection pages while browsing the web. These pages are linked with WAF/CDN services that perform browser performance checks and verify if the site visitor is a human, bot, or part of a DDoS attack.

Attackers using fake Cloudflare DDoS protection popups to distribute malware

These pages usually don’t affect users as they perform a simple check or request for a skill test before proceeding to their desired website/webpage. But, in the recently discovered campaign, JavaScript injections are used in WordPress sites to create fake DDoS protection popups.

How to Stay Protected?

Site admins must always check their WordPress sites’ theme files because this is the most widely exploited feature in this campaign and regularly update the software, use 2FA and strong passwords, and deploy a firewall.

Furthermore, it is essential to use a file integrity monitoring system as it can quickly catch JavaScript injections and prevent the website from becoming a malware distribution point.

On the other hand, users should enable strict script blocking settings on the browser and keep in mind that they don’t need to download ISO files as anti-DDoS procedures.

  1. Google Fended Off Largest Ever Layer 7 DDoS Attack
  2. DDoS booter customers received warning letters from Dutch police
  3. DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists
  4. Canadian firm hit by non-stop extortion-based DDoS attacks
  5. Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Related Posts