Skip to main content

Hackers are using fake WordPress DDoS pages to launch malware

Hackers are pushing the distribution of dangerous malware via WordPress websites through bogus Cloudflare distributed denial of service (DDoS) protection pages, a new report has found.

As reported by PCMag and Bleeping Computer, websites based on the WordPress format are being hacked by threat actors, with NetSupport RAT and a password-stealing trojan (RaccoonStealer) being installed if victims fall for the trick.

A digital depiction of a laptop being hacked by a hacker.
Digital Trends Graphic

Cybersecurity firm Sucuri detailed how hackers are breaching WordPress sites that don’t have a strong security foundation in order to implement JavaScript payloads, which in turn showcase fake Cloudflare protection DDoS alerts.

Once someone visits one of these compromised sites, it will direct them to physically click a button in order to confirm the DDoS protection check. That action will lead to the download of a ‘security_install.iso’ file to one’s system.

From here, instructions ask the individual to open the infected file that is disguised as a program called DDOS GUARD, in addition to entering a code.

Another file, security_install.exe, is present as well — a Windows shortcut that executes a PowerShell command via the debug.txt file. Once the file is opened, NetSupport RAT, a popular remote access trojan, is loaded onto the system. The scripts that run once they have access to the PC will also install and launch the Raccoon Stealer password-stealing trojan.

Originally shut down in March 2022, Raccoon Stealer made a return in June with a range of updates. Once successfully opened on a victim’s system, Raccoon 2.0 will scan for passwords, cookies, auto-fill data, and credit card details that are stored and saved on web browsers. It can also steal files and take screenshots of the desktop.

As highlighted by Bleeping Computer, DDoS protection screens are starting to become the norm. Their purpose is to protect websites from malicious bots looking to disable their servers by flooding them with traffic. However, it seems hackers have now found a loophole to use such screens as a disguise to spread malware.

With this in mind, Sucuri advises WordPress admins to look at its theme files, which is where threat actors are concentrating their efforts. Furthermore, the security website stresses that ISO files won’t be involved with DDoS protection screens, so be sure to not download anything of the sort.

Hacking, malware, and ransomware activity have become increasingly common throughout 2022. For example, a hacking-as-a-service scheme offers the ability to steal user data for just $10. As ever, make sure you reinforce your passwords and enable two-factor authentication across all your devices and accounts.

Editors' Recommendations