- Sucuri reports that threat actors are currently installing fake Cloudflare DDoS protection pages to deceive people into downloading trojans.
- As the users download and install the so-called verification code generator, their systems are infected with NetSupport RAT and Raccoon Stealer.
- Currently, none of the legitimate DDoS protection techniques require users to install software to the systems.
As hackers aggressively seek ways of harming big companies, they often end up conducting huge DDoS attacks. Recently, we have shared several record-breaking DDoS attack news as well. To mitigate those attacks, companies generally put DDoS protection pages that make users wait for a little while to slow down the automated attempts. We have seen many DDoS protection pages, so we are used to them. But now, hackers are using those pages to deceive people to install malware on their systems.
Verification code generator bundled with trojans
According to Sucuri’s report, threat actors are now hacking poorly secured WordPress-based websites to deploy a fake Cloudflare DDoS protection page. This page shows a “Click here” button which leads to downloading a file named security_install.iso. The visiting users are guided to open that file to install the DDOS GUARD application in order to get a Personal Verification Code, which looks like a necessary step to proceed into the website.
As the victim runs the security_intall.exe file inside the security_install.iso container, it installs NetSupport RAT and downloads Raccoon Stealer. The NetSupport RAT is remote access trojan and Raccoon Stealer is a password stealer. The Raccoon Stealer is capable of stealing passwords, cookies, auto-fill data, and credit cards that are saved in web browsers. It can also steal from cryptocurrency wallets, exfiltrate files, and take screenshots of the systems.
Sucuri recommends website owners check theme files in their WordPress sites since they are currently the most common infection points. And users should be more careful about those attacks. Currently, none of the DDoS protection systems require the user to download and install files to the system.