A New Javascript Injection Campaign on WordPress Websites Try Pushing RATs

The security research team from Sucuri, a well-known security firm, disclosed a new JavaScript injection Campaign on WordPress websites that helps hackers to push Remote Access Trojan malware using a fake Cloudflare DDoS protection popup. This campaign is going to be great learning for both WordPress website owners and web browsing users since both are actively being exploited using this campaign. This post is a must to read since we are going to cover likely everything about the JavaScript injection campaign on WordPress websites except the detailed technical analysis of the malware. Let’s get started. 

What is a Cloudflare DDoS protection Popup?

Before we understand what is CloudFlare’s DDoS Protection it is good to know about the DDoS and the Role of a Bot in DDoS Attacks. 

DDOS stands for distributed denial of service. It’s a type of attack that attempts to make a website or online service unavailable by flooding it with Internet traffic from multiple sources to overload the target site or service and prevent legitimate users from being able to access it.

A Bot is a computer program used to generate automated queries to websites. When these Bots are used in millions, they often create a Denial of Service situation. That’s why they are often used in DDoS attacks, as they can generate a large amount of traffic in a few seconds. By flooding a website or service with traffic from multiple bots, attackers can easily overwhelm the target and cause it to become unavailable.

However, not all bots cause problems. There are certain good bots that are actually essential to running the internet. Without them, search engines like Google, Bing, DuckDuckGo, Yahoo are unable to crawl the websites and present the results when users search their queries.

When there are good and bad bots on the internet, there is a need to create a mechanism that allows only good bots and blocks all the bad bots from reaching your website. Cloudflare is one such company that created a DDoS protection system that tries to analyze the bad bots and stop them from reaching the website.

As you know, there are trillions of traffic going on the internet per second. That encompasses user, good bot, and bad bot traffic. It is not an easy task for a DDoS protection system to detect bad bots and stop them. Sometimes, DDoS Protection systems misunderstand the user traffic as bad bot traffic, and as a result, the user sees a DDoS protection Popup when the user tries accessing the website. DDoS protectors throw a page or popups with a CAPTCHA to ensure the traffic is generated by a user not by a bot. That’s why it is common to see DDoS protection pages when casually surfing the web.

How Attackers Use the Javascript Injection Campaign on WordPress Websites to Serve Malware?

Since it is common to see DDoS protection pages or popups when casually surfing the web, users don’t go deep to verify whether it is a fake DDoS protection page or a legitimate one. Hackers utilize this behavior to deliver malware to a user’s device. 

Fake DDoS protection prompt image taken from Sucuri

When a user clicks on the popup in the hurry to access the website. A malicious ISO file will get downloaded to his computer/phone.

Malicious .iso downloaded from fake DDoS prompt, Source: Sucuri

Upon completion of the download the file then prompts to run to get a verification code to access the website.

Verification code request. Source: Sucuri

The ISO file displays a verification code to pretend to be legitimate.

Image Source: Sucuri

The ISO file downloaded is actually a Remote Access Trojan. See what Jerome Segura from Malwarebytes said about the malware. Please see the detailed technical report about the malware here.

Screenshot courtesy of Jerome Segura

This is NetSupport RAT. It has been linked to FakeUpdates/SocGholish and typically used to check victims before ransomware rollout. The ISO file contains a shortcut disguised as an executable that runs powershell from another text file.
It also installs RaccoonStealer and drops the following payloads After that, just about anything can happen depending on the victim:
– Jerome Segura

https://www.virustotal.com/gui/file/4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87/detection

https://www.virustotal.com/gui/file/299472f1d7e227f31ef573758452e9a57da2e3f30f3160c340b09451b032f8f3?nocache=1

How to Protect Your WordPress Website From This Javascript Injection Campaign?

There are a few key things you can do to protect your WordPress website from malware infection:

By following these simple tips, you can keep your WordPress website safe from malware infection.

There are a few things users can do to protect their computers from malware while browsing the internet:

We hope this post would help you know about a new JavaScript injection Campaign on WordPress websites that helps hackers to push Remote Access Trojan malware using a fake CloudFlare DDoS protection popup. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, subscribe to receive updates like this.