Hackers Using Fake DDoS Protection Pages to Distribute Malware

Thu, 25 Aug 2022 21:02:00 Dan

WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer.

"A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week.

Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites.

The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems.

This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the active theme file of the website, which, in turn, loads heavily obfuscated JavaScript from a remote server.

"This JavaScript then communicates with a second malicious domain which loads more JavaScript that initiates the download prompt for the malicious .iso file," Martin explained.

Following the download, users are prompted to enter a verification code generated from the so-called "DDoS Guard" application so as to entice the victim into opening the weaponized installer file and access the destination website.

While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates (aka SocGholish) malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.

The development is a sign that threat actors are opportunistically co-opting these familiar security mechanisms in their own campaigns in a bid to trick unsuspecting website visitors into installing malware.

More at https://thehackernews.com/2022/08/hackers-using-fake-ddos-protection.html

About the author

Dan

Dan

 

I'm a long-time user and enthusiast of open source software and espouse the philosophy that software code should be open (readable). So that everyone can see what happens behind the scenes while we use our electronic devices every day.