A new report has revealed that WordPress websites are being hacked to show fake Cloudflare Distributed Denial of Service (DDoS) protection pages to users. The fake alert pages are designed to distribute malware that insidiously installs the password-stealing Trojan known as RaccoonStealer and the NetSupport RAT.

DDoS protection screens are a common occurrence online and are designed to protect sites from botnets that ping them with false requests, with the aim of overwhelming their systems with ghost traffic.

Users often view these ‘welcome screens’ as a short-term and unavoidable annoyance that helps keep their favoured online resources safe from malicious operators. Unfortunately, the familiar face of alert screens serves as an ideal opportunity for malware campaigners to exploit users.

Malware via bogus Cloudflare prompts

A recent report by researchers at Sucuri showed that threat operators are now hacking WordPress sites with poor protection levels to add a hidden JavaScript payload that can show a bogus Cloudflare protection DDoS display screen.

The screen requests that site visitors click on a button to clear the DDoS protection screen. Unfortunately, clicking this button automatically downloads a security installation file to the device that impersonates the tool needed to bypass the screen.

The target users are then told to open up the file, which they claim is an application named DDOS GUARD, and enter a verification code.

When the user opens the file entitled security_install.exe, it is, in reality, a Windows shortcut that can run a PowerShell command from a debug.txt file.

As a result, a chain of scripts run, displaying the fake DDoS code required to view the site, while installing the NetSupport remote access Trojan (RAT). This is a common tool used widely in many modern malicious campaigns. Additionally, the malicious scripts will also download the password-stealing Trojan, Raccoon Stealer, and then launch it on the user’s computer.

After a hiatus, Raccoon Stealer returned in June 2022, when its creators released an updated version (2nd edition) and made it readily available to cybercriminals, who could access it via a subscription model.

The Raccoon 2.0 Trojan targets passwords, auto-fill data, cookies, and credit cards that have been saved on web browsers, and a wide selection of cryptocurrency wallets. The Trojan is also capable of executing file exfiltration and capturing screenshots of a target’s desktop.

How can user protect their WordPress sites against attack?

According to experts at Sucuri, administrators must check any theme files of the WordPress sites they manage, as this is a prevalent infection point for the campaign. Additionally, admins are advised to use a file integrity monitoring system to identify and isolate JS injections as they occur to prevent sites from becoming a Remote Access Trojan distribution point.

Online users can also protect themselves from these threats by activating strict settings for script-blocking on the internet browser they employ. Finally, admins should remember that downloading security install files is never part of an authentic anti-DDoS procedure. If a file is downloaded in error, users should never unpack the contents of the file or set it to run.