WordPress sites hacked by threat actors displaying fake DDoS Protection Pages to distribute Malware

Ref# AL2022_54 | Date: Aug 31st 2022

Description 

Threat actors have reportedly hacked WordPress sites to deliver malware (NetSupport RAT and Raccoon Stealer) by displaying fraudulent Cloudflare DDoS protection pages.  

Summary 

Distributed Denial-of-Service (DDoS) protection pages are critical browser verification checks that seek to prevent unwanted bot-driven and malicious traffic from using up bandwidth and rendering websites inaccessible.  

Cognizant of this fact, victims can easily be tricked into downloading remote access trojan malware onto their devices by clicking the fake DDoS prevent prompts found on WordPress sites. These fake DDoS prevent prompts were created as a result of a rise in javascript injections.   

How it works 

The attack vector aims at controlling WordPress sites so that it exhibits fake DDoS protection prompts. When users select these prompts, malicious ISO file (security_install.iso) are downloaded onto the victims device.  

Three lines of code are injected into a JavaScript file (jquery.min.js), or into the active theme file of the website. This results in significant amount of JavaScript being covertly loaded from a remote server.  

The JavaScript communicates with another malicious domain that loads additional JavaScript. This initiates the prompt to download malicious .iso file. After this process is completed, users are prompted to input a verification code that is produced by the “DDoS Guard application. The objective is to persuade victims to open the installer file to access the destination website. 

The file is reported to be a remote access trojan referred to as NetSupport RAT and is linked to the FakeUpdates, also referred to as SocGholish, malware family. It also clandestinely installs Racoon Stealer, a trojan designed to steal victims credentials.  

Remediation  

Website owners are advised to: 

  1. place their sites behind firewall Firewalls aid in monitoring network traffic, stop virus attacks, prevent hacking, stop spyware and promote privacy.  

  1. institute file integrity monitoring systems this will help to catch those JavaScript injections as they occur and prevent websites from being a RAT distribution point.  

  1. apply two-factor authentication (2FA)- Two-factor authentication provides an added layer of security which makes it difficult for threat actors to access user accounts.    

Users who visit the website should: 

  1. enable two-factor authentication (2FA) As mentioned above, two-factor authentication provides an added layer of security which makes it difficult for threat actors to access user accounts.    

  1. steer clear of accessing suspicious files Accessing these files may execute a program that could damage or steal critical data.   

  1. employ a script blocker in web browsers to prevent the execution of JavaScript- Threat Actors may use JavaScript tricks to foist malicious software and exploits onto site visitors. Hence, a script blocker is required.  

The theme files of WordPress sites were discovered to be the most common infection point in the campaign. As such, Admins are advised to review these files.  

It should be noted that downloading ISO files are not legitimate anti-DDoS procedures. If downloaded accidentally, do not un-pack or run their contents.  

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary. 

PDF Download: WordPress Sites Hacked.pdf

References