WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer   "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week.

The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems

While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates (aka SocGholish) malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.

latest news

This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the active theme file of the website, which, in turn, loads heavily obfuscated JavaScript from a remote server.

In April 2022, eSentire disclosed an attack chain that leveraged a fake Chrome installer to deploy the trojan, which then paved the way for the execution of Mars Stealer. Likewise, an IRS-themed phishing campaign detailed by Cofense and Walmart Global Tech involved utilizing fake CAPTCHA puzzles on websites to deliver the same malware.

latest news

Contact us  951 380 5401

Web Application Security course in saket

100% Job placement

Craw Security

👉🏻

Arrow