WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer.
Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites.
The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file (“security_install.iso”) to the victim’s systems.
Following the download, users are prompted to enter a verification code generated from the so-called “DDoS Guard” application so as to entice the victim into opening the weaponized installer file and access the destination website.
While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates (aka SocGholish) malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.
The development is a sign that threat actors are opportunistically co-opting these familiar security mechanisms in their own campaigns in a bid to trick unsuspecting website visitors into installing malware.
“The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious ‘slave’ network, extort the computer owner, and violate their privacy — all depending on what the attackers decide to do with the compromised device,” Martin said.
This isn’t the first time ISO-themed files and CAPTCHA checks have been used to deliver the NetSupport RAT.
In April 2022, eSentire disclosed an attack chain that leveraged a fake Chrome installer to deploy the trojan, which then paved the way for the execution of Mars Stealer. Likewise, an IRS-themed phishing campaign detailed by Cofense and Walmart Global Tech involved utilizing fake CAPTCHA puzzles on websites to deliver the same malware.