Rewterz Threat Update – WordPress Sites Compromised With Fake Cloudflare DDoS Alerts Pushing Malware Infections

Severity

High

Analysis Summary

Threat actors are using WordPress websites to propagate malware that installs the RaccoonStealer password-stealing Trojan and the NetSupport RAT by displaying fake Cloudflare DDoS protection pages.
In order to determine if a site visitor is a person or a robot, WAF/CDN services execute browser checks on DDoS Protection sites.
Recently security specialists have discovered JavaScript injections targeting WordPress sites in order to create fake DDoS Protection pages that direct users to download remote access trojan infections.

The above page requires the user to click a button to bypass the DDoS protection screen. However, clicking the button will download a ‘security install.iso’ file that seems to be a tool necessary to bypass the DDoS verification.

When the file is opened, the picture file is mounted and its contents are displayed to the visitors. The mounted drive has a file named security install.exe, which is really a Windows shortcut that executes a PowerShell script stored in the same drive’s debug.txt file.

Finally, a chain of scripts is executed, displaying the fake DDoS code required to see the site and installing the NetSupport RAT, a remote access trojan often used in malicious campaigns
The scripts will also download and run the password-stealing malware known as Raccoon Stealer on the target device.

Security researchers also share key measures that can be taken to reduce the likelihood of this infection. Recommendations include: Website owners should keep all software on their website up to date, use strong passwords, enable 2FA in their administration panel, and put their website behind a firewall service.

Impact

• Remote Access Trojan Malware
• Information Theft
• Credential Theft

Remediations

• Ensure that your machine is running a strong antivirus application.
• Keep your browser and any software on your machine up to date/patched.
• Use a script blocker in your browser (advanced)
• Do not download document ?les attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Do not download email attachments coming from untrusted sources.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets