Victims are infected with the NetSupport trojan and the Raccoon Stealer infostealer.
According to a Sucuri report, hackers break into poorly protected WordPress sites to inject heavily obfuscated JavaScript code that displays a fake notification from Cloudflare on the site.
As shown below, the site visitor is prompted to click on a button to bypass DDoS protection. If the victim clicks on the button, then the ‘security_install.iso’ file is downloaded to their computer, which pretends to be a tool needed to bypass protection.
The victim is then prompted to open the security_install.iso file, which masquerades as the DDOS GUARD application, and enter the specified code.
When the user opens the security_install.iso file, he sees the security_install.exe file, which runs the PowerShell command from the debug.txt file.
After that, a chain of scripts is launched that generates the fake code required to view the site, and also installs a popular remote access Trojan (RAT) called NetSupport. In addition, the scripts deploy Raccoon Stealer 2.0, a malware that steals passwords, cookies, autofill data and credit cards stored in web browsers, as well as data from various cryptocurrency wallets, on the victim’s device. In addition, this infostealer can steal files from the victim’s device and take screenshots of the desktop.
Sucuri experts recommend that administrators check the theme files of their WordPress sites and start using file integrity monitoring systems to catch JS injections at the time they occur, thereby preventing hackers from turning the site into a malware distribution point.