Threat actors compromise WordPress sites to display fake Cloudflare DDoS protection pages to distribute malware.
DDoS Protection pages are associated with browser checks performed by WAF/CDN services which verify if the site visitor is a human or a bot.
Recently security experts from Sucuri, spotted JavaScript injections targeting WordPress sites to display fake DDoS Protection pages which lead victims to download remote access trojan malware.
The page above requests that the visitor clicks on a button to bypass the DDoS protection and visit the site. However, upon clicking on the button, the ‘security_install.iso’ file is downloaded to the visitor’s machine.
The file poses as a tool required to bypass the DDoS verification. In order to trick the visitors into opening the file, a new message tells them that the verification code to access the website is contained in the file.
The scripts will also infect the victim’s computer with the Raccoon Stealer info-stealing trojan which allows operators to steal login credentials, cookies, auto-fill data, and credit cards saved on web browsers, along with cryptocurrency wallets.
