WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer.
Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites.
The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file (“security_install.iso”) to the victim’s systems.
Following the download, users are prompted to enter a verification code generated from the so-called “DDoS Guard” application so as to entice the victim into opening the weaponized installer file and accessing the destination website.
While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates (aka SocGholish) malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.
The development is a sign that attackers are opportunistically co-opting these familiar security mechanisms in their own campaigns in a bid to trick unsuspecting website visitors into installing malware.
To mitigate such threats, website owners are required to place their sites behind a firewall, employ file integrity checks, and enforce two-factor authentication (2FA). Website visitors are also urged to turn on 2FA,…