Threat actors are using WordPress websites to propagate malware that installs the RaccoonStealer password-stealing Trojan and the NetSupport RAT by displaying fake Cloudflare DDoS protection pages.
In order to determine if a site visitor is a person or a robot, WAF/CDN services execute browser checks on DDoS Protection sites.
The above page requires the user to click a button to bypass the DDoS protection screen. However, clicking the button will download a ‘security install.iso’ file that seems to be a tool necessary to bypass the DDoS verification.
When the file is opened, the picture file is mounted and its contents are displayed to the visitors. The mounted drive has a file named security install.exe, which is really a Windows shortcut that executes a PowerShell script stored in the same drive’s debug.txt file.
Finally, a chain of scripts is executed, displaying the fake DDoS code required to see the site and installing the NetSupport RAT, a remote access trojan often used in malicious campaigns
The scripts will also download and run the password-stealing malware known as Raccoon Stealer on the target device.
Security researchers also share key measures that can be taken to reduce the likelihood of this infection. Recommendations include: Website owners should keep all software on their website up to date, use strong passwords, enable 2FA in their administration panel, and put their website behind a firewall service.