WordPress sites can be an easy target for hosting malware and injection attacks, and this time it’s in the form of phony distributed denial-of-service (DDoS) Cloudflare capture pages.
This specific attack, documented and reported by Sucuri, utilizes both NetSupport and RaccoonStealer trojans.
It’s increasingly common to see websites utilizing “DDoS protection” pages when you first attempt to visit a high-traffic website or eCommerce store. This is a function of a web application firewall or content delivery network which help verify is a user is authentic, or traffic generated from a bot/DDoS.
Usually the procedure takes only a couple seconds to verify genuine web traffic, and the user is forwarded to the website they intended to access. Recent Javascript injections on numerous WordPress websites are hosting remote access trojan (RAT) malware and displaying a fake DDoS prevention page to fool users.
Users are instructed to download security_install.iso which is an application called “DDOS Guard.” By downloading the software, users believe that they will then be able to access the website without DDoS screening.
However, it’s malware—and will quickly download “Raccoon Stealer”, a password stealing trojan and launch it on the device.
Raccoon Stealer is malware offered to cybercriminals under a subscription model, and targets passwords, cookies, stored credit card information, cryptocurrency wallets, and more.
Once it detects valuable data worth transmitting back to the cybercriminals, it sends it and any other screenshots of the victim’s desktop.
Sucuri recommends monitoring theme files of their WordPress sites—the most common target of this attack. Additionally, file integrity monitoring systems are highly recommended to help detect any malicious Javascript injections.
