About Me

My photo
Prameet
Prameet Nanda is a security consultant, as well as an author in Cyber-security. Prameet a BCA degree in Computer Science and worked in IT security and Web application development. He has successfully delivered and developed IT solutions for companies all over Nations. He is passionate about Technology and loves what he’s doing. After many years of experience in computer science, he has turned his attention to cyber security and the importance that security brings to this mine field. His passion to the ethical hacking mixed with his background in programming and IT makes him a wise swiss knife professional in the computer science field
View my complete profile

Contact Form

Name

Email *

Message *

Fake DDoS protection pages on compromised WordPress sites lead to malware infections

Prameet

 DDoS Protection pages are associated with browser checks performed by WAF/CDN services which verify if the site visitor is a human or a bot.

Recently security experts from Sucuri, spotted JavaScript injections targeting WordPress sites to display fake DDoS Protection pages which lead victims to download remote access trojan malware.

“Unfortunately, attackers have begun leveraging these familiar security assets in their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup.” reads the post published by Sucuri.


The page above requests that the visitor clicks on a button to bypass the DDoS protection and visit the site. However, upon clicking on the button, the ‘security_install.iso’ file is downloaded to the visitor’s machine. The file poses as a tool required to bypass the DDoS verification. In order to trick the visitors into opening the file, a new message tells them that the verification code to access the website is contained in the file.

Upon opening the file, the image file is mounted and its content is shown to the visitors. The mounted drive contains a file called security_install.exe, which is actually a Windows shortcut that runs a PowerShell command contained in the debug.txt file in the same drive.

Launching the security_install.exe, the infection chain starts while a fake DDoS code is displayed.
Ultimately, this causes a chain of scripts to run that display the fake DDoS code needed to view the site. The process leads to the installation of the NetSupport RAT remote access trojan.

The scripts will also infect the victim’s computer with the Raccoon Stealer info-stealing trojan which allows operators to steal login credentials, cookies, auto-fill data, and credit cards saved on web browsers, along with cryptocurrency wallets.

Website owners are recommended to:
  • Keep all software on your website up to date
  • Use strong passwords
  • Use 2FA on your administrative panel
  • Place your website behind a firewall service
while below are the recommendations for regular website visitors:
  • Make sure your computer is running a robust antivirus program
  • Place 2FA on all important logins (such as your bank, social media)
  • Practice good browsing habits; don’t open strange files!
  • Keep your browser and all software on your computer updated/patched
  • Use a script blocker in your browser (advanced)
-Prameet





Prameet

Posted by Prameet

Prameet Nanda is a security consultant, as well as an author in Cyber-security. Prameet a BCA degree in Computer Science and worked in IT security and Web application development. He has successfully delivered and developed IT solutions for companies all over Nations. He is passionate about Technology and loves what he’s doing. After many years of experience in computer science, he has turned his attention to cyber security and the importance that security brings to this mine field. His passion to the ethical hacking mixed with his background in programming and IT makes him a wise swiss knife professional in the computer science field