WordPress sites hacked with malware-laden fake Cloudflare DDoS alerts

Hackers are using a familiar distributed denial of service (DDoS) protection page to trick people into downloading malware, researchers are saying.

According to cybersecurity firm Sucuri, an unknown threat actor has been modifying poorly secured WordPress sites and adding a fake Cloudflare DDoS protection landing page.

A DDoS attack works by sending large amounts of internet traffic to a website, overwhelming it and preventing actual users from accessing it. But DDoS protection pages don’t usually require users to download anything.

DDOS GUARD

The landing page discovered by researchers tells the visitor to download an application called “DDOS GUARD”, which will supposedly provide them with a code to enter into the site. 

However, the application would in fact download the NetSupport RAT, once a legitimate program for troubleshooting and tech support, since hijacked by cybercriminals and turned into a remote access trojan.

Furthermore, the RAT also downloads an infostealer malware called Raccoon Stealer. This malware steals passwords and cookies, as well as any payment data stored in the browser, including cryptocurrency wallet credentials. It can also steal other types of data and take screenshots.

As a result, the visitors would hand cybercriminals full access to their computer, and plenty of sensitive data.

To defend against the campaign, BleepingComputer says, IT teams should check the theme files of their WordPress sites, as that’s the most common infection point.  Internet users, on the other hand, need to enable strict script blocking in their browser, even though if it meant losing most of website functionalities.

Via BleepingComputer