Unidentified hackers are hacking WordPress sites to spread fake DDoS protection notifications purporting to be from Cloudflare. Through such fakes, attackers distribute RAT NetSupport and the RaccoonStealer infostealer (aka simply Raccoon).
Sucuri experts say that DDoS protection notifications are usually shown to users during checks to make sure that the visitor is really a person, and not a bot and not a participant in a DDoS attack. Users have long been accustomed to such pages and usually refer to them as an annoying but unavoidable “hindrance”. Researchers say that this habit of users is now being abused by attackers.
Unidentified hackers break into poorly protected WordPress sites and inject their pages with an obfuscated JavaScript payload that displays a fake DDoS protection message while pretending to be Cloudflare.
As you can see in the screenshot above, these messages ask the visitor to click a button to pass a check and bypass DDoS protection. As you might guess, this is a scam, and clicking on the button will only download the security_install.iso file, which pretends to be a tool for passing verification. Users are prompted to open the security_install.iso file and enter the code that they supposedly receive after that.
In fact, when opening the security_install.iso, the victim will see the security_install.exe file, which is a Windows shortcut that runs the PowerShell command from the debug.txt file. As a result, this entire sequence of actions will lead to the launch of a chain of scripts that will show the victim a fake code to pass the check, as well as install the NetSupport remote access Trojan, which is often used in malicious campaigns.
In addition, the scripts will download the Raccoon infostealer and run it on the device. This malware steals passwords, cookies, autofill data, banking mouths saved in browsers, as well as attacks a wide range of cryptocurrency wallets and is able to take screenshots of the victim’s desktop.
Experts recommend that WordPress site administrators carefully check theme files, as they are the most common point of initial infection. It is also recommended to use file integrity monitoring systems to detect JS injections as they occur.