Headline
Fake DDoS Protection Alerts Distribute Dangerous RAT
Security vendor Sucuri says adversaries are injecting malicious JavaScript into numerous WordPress websites that triggers phony bot-related checks.
Threat actors are spoofing Cloudflare DDoS bot-checks in an attempt to drop a remote-access Trojan (RAT) on systems belonging to visitors to some previously compromised WordPress websites.
Researchers from Sucuri recently spotted the new attack vector while investigating a surge in JavaScript injection attacks targeting WordPress sites. They observed the attackers injecting a script into the WordPress websites that triggered a fake prompt claiming to be the website verifying if a site visitor is human or a DDoS bot.
Many Web application firewalls (WAFs) and content distribution network services routinely serve up such alerts as part of their DDoS protection service. Sucuri observed this new JavaScript on WordPress sites triggering a fake Cloudflare DDoS protection pop-up.
Users who clicked on the fake prompt to access the website ended up with a malicious .iso file downloaded onto their systems. They then received a new message asking them to open the file so they can receive a verification code for accessing the website. “Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit,” Sucuri wrote. “What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of this post.”
Dangerous RAT
Sucuri identified the remote-access Trojan as NetSupport RAT, a malware tool that ransomware actors have previously used to footprint systems before delivering ransomware on them. The RAT has also been used to drop Racoon Stealer, a well-known information stealer that briefly dropped out of sight earlier this year before surging back on the threat landscape in June. Racoon Stealer surfaced in 2019 and was one of the most prolific information stealers of 2021. Threat actors have distributed it in a variety of ways, including malware-as-a-service models and by planting it on websites selling pirated software. With the fake Cloudflare DDoS protection prompts, threat actors now have a new way of distributing the malware.
“Threat actors, particularly when phishing, will use anything that looks legitimate to fool users,” says John Bambenek, principal threat hunter at Netenrich. As people get used to mechanisms like Captcha’s for detecting and blocking bots, it makes sense for threat actors to use those same mechanisms to try to fool users, he says. “This not only can be used to get people to install malware, but could be used for ‘credential checks’ to steal credentials of major cloud services (such as) Google, Microsoft, and Facebook,” Bambenek says.
Ultimately, website operators need a way to tell the difference between a real user and a synthetic one, or a bot, he notes. But often the more effective the tools for detecting bots get, the harder they get for users to decode, Bambenek adds.
Charles Conley, senior cyber security researcher at nVisium, says that using content spoofing of the kind that Sucuri observed to deliver a RAT is not especially new. Cybercriminals have routinely spoofed business-related apps and services from companies such as Microsoft, Zoom, and DocuSign to deliver malware and trick users into executing all kinds of unsafe software and actions.
However, with browser-based spoofing attacks, default settings on browsers such as Chrome that hide the full URL or operating systems like Windows that hide file extensions can make it harder for even discerning individuals to tell what they’re downloading and where it’s from, Conley says.