Skip to main content

Hackers are using fake WordPress DDoS pages to launch malware

Hackers are pushing the distribution of dangerous malware via WordPress websites through bogus Cloudflare distributed denial of service (DDoS) protection pages, a new report has found.

As reported by PCMag and Bleeping Computer, websites based on the WordPress format are being hacked by threat actors, with NetSupport RAT and a password-stealing trojan (RaccoonStealer) being installed if victims fall for the trick.

A digital depiction of a laptop being hacked by a hacker.
Digital Trends

Cybersecurity firm Sucuri detailed how hackers are breaching WordPress sites that don’t have a strong security foundation in order to implement JavaScript payloads, which in turn showcase fake Cloudflare protection DDoS alerts.

Once someone visits one of these compromised sites, it will direct them to physically click a button in order to confirm the DDoS protection check. That action will lead to the download of a ‘security_install.iso’ file to one’s system.

From here, instructions ask the individual to open the infected file that is disguised as a program called DDOS GUARD, in addition to entering a code.

Another file, security_install.exe, is present as well — a Windows shortcut that executes a PowerShell command via the debug.txt file. Once the file is opened, NetSupport RAT, a popular remote access trojan, is loaded onto the system. The scripts that run once they have access to the PC will also install and launch the Raccoon Stealer password-stealing trojan.

Originally shut down in March 2022, Raccoon Stealer made a return in June with a range of updates. Once successfully opened on a victim’s system, Raccoon 2.0 will scan for passwords, cookies, auto-fill data, and credit card details that are stored and saved on web browsers. It can also steal files and take screenshots of the desktop.

As highlighted by Bleeping Computer, DDoS protection screens are starting to become the norm. Their purpose is to protect websites from malicious bots looking to disable their servers by flooding them with traffic. However, it seems hackers have now found a loophole to use such screens as a disguise to spread malware.

With this in mind, Sucuri advises WordPress admins to look at its theme files, which is where threat actors are concentrating their efforts. Furthermore, the security website stresses that ISO files won’t be involved with DDoS protection screens, so be sure to not download anything of the sort.

Hacking, malware, and ransomware activity have become increasingly common throughout 2022. For example, a hacking-as-a-service scheme offers the ability to steal user data for just $10. As ever, make sure you reinforce your passwords and enable two-factor authentication across all your devices and accounts.

Editors' Recommendations

Zak Islam
Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
Hackers are infiltrating news websites to spread malware
A black fedora rests on top of newspapers infected with spreading green lines..

Some alarming news broke today that hundreds of U.S. news websites are unwittingly playing a big role in a new malware campaign that's disguised as a Chrome browser update. This is quite a devious attack method since it's considered an important security practice to update your browser as soon as possible.

The way hackers are delivering the malware is also clever. It’s coming via an advertising network that also supplies video content to newspaper websites across the nation. It’s difficult to identify and shut down this attack because it is applied intermittently. According to a tweet by the security research team Threat Insight, the JavaScript code is being changed back and forth from the normal harmless ad delivery script to the one that includes the hacker code that shows a false update alert.

Read more
This huge DDoS attack was one of the longest ever recorded
A depiction of a hacker breaking into a system via the use of code.

An unprecedented distributed denial of service (DDoS) attack saw over 25.3 billion requests being sent to a target. Imperva, a cyber security software and services company, confirmed the attack.

As reported by Bleeping Computer, the firm’s systems defended the record-breaking attack when it occurred on June 27, 2022.

Read more
Google just thwarted the largest HTTPS DDoS attack in history
A depiction of a hacker breaking into a system via the use of code.

Google has confirmed that one of its cloud customers was targeted with the largest HTTPS distributed denial-of-service (DDoS) attack ever reported.

As reported by Bleeping Computer, a Cloud Armor client was on the receiving end of an attack that totaled 46 million requests per second (RPS) at its peak.

Read more