The security research team from Sucuri, a well-known security firm, disclosed a new JavaScript injection Campaign on WordPress websites that helps hackers to push Remote Access Trojan malware using a fake Cloudflare DDoS protection popup. This campaign is going to be great learning for both WordPress website owners and web browsing users since both are actively being exploited using this campaign. This post is a must to read since we are going to cover likely everything about the JavaScript injection campaign on WordPress websites except the detailed technical analysis of the malware. Let’s get started.
Table of Contents
What is a Cloudflare DDoS protection Popup?
Before we understand what is CloudFlare’s DDoS Protection it is good to know about the DDoS and the Role of a Bot in DDoS Attacks.
DDOS stands for distributed denial of service. It’s a type of attack that attempts to make a website or online service unavailable by flooding it with Internet traffic from multiple sources to overload the target site or service and prevent legitimate users from being able to access it.
A Bot is a computer program used to generate automated queries to websites. When these Bots are used in millions, they often create a Denial of Service situation. That’s why they are often used in DDoS attacks, as they can generate a large amount of traffic in a few seconds. By flooding a website or service with traffic from multiple bots, attackers can easily overwhelm the target and cause it to become unavailable.
However, not all bots cause problems. There are certain good bots that are actually essential to running the internet. Without them, search engines like Google, Bing, DuckDuckGo, Yahoo are unable to crawl the websites and present the results when users search their queries.
When there are good and bad bots on the internet, there is a need to create a mechanism that allows only good bots and blocks all the bad bots from reaching your website. Cloudflare is one such company that created a DDoS protection system that tries to analyze the bad bots and stop them from reaching the website.
As you know, there are trillions of traffic going on the internet per second. That encompasses user, good bot, and bad bot traffic. It is not an easy task for a DDoS protection system to detect bad bots and stop them. Sometimes, DDoS Protection systems misunderstand the user traffic as bad bot traffic, and as a result, the user sees a DDoS protection Popup when the user tries accessing the website. DDoS protectors throw a page or popups with a CAPTCHA to ensure the traffic is generated by a user not by a bot. That’s why it is common to see DDoS protection pages when casually surfing the web.
How Attackers Use the Javascript Injection Campaign on WordPress Websites to Serve Malware?
Since it is common to see DDoS protection pages or popups when casually surfing the web, users don’t go deep to verify whether it is a fake DDoS protection page or a legitimate one. Hackers utilize this behavior to deliver malware to a user’s device.
When a user clicks on the popup in the hurry to access the website. A malicious ISO file will get downloaded to his computer/phone.
Upon completion of the download the file then prompts to run to get a verification code to access the website.
The ISO file displays a verification code to pretend to be legitimate.
The ISO file downloaded is actually a Remote Access Trojan. See what Jerome Segura from Malwarebytes said about the malware. Please see the detailed technical report about the malware here.
This is NetSupport RAT. It has been linked to FakeUpdates/SocGholish and typically used to check victims before ransomware rollout. The ISO file contains a shortcut disguised as an executable that runs powershell from another text file.
It also installs RaccoonStealer and drops the following payloads After that, just about anything can happen depending on the victim:
– Jerome Segura
https://www.virustotal.com/gui/file/4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87/detection
https://www.virustotal.com/gui/file/299472f1d7e227f31ef573758452e9a57da2e3f30f3160c340b09451b032f8f3?nocache=1
How to Protect Your WordPress Website From This Javascript Injection Campaign?
There are a few key things you can do to protect your WordPress website from malware infection:
- Keep your WordPress installation, themes, and plugins up to date.
- Use a reputable security plugin, like Sucuri or Wordfence, to scan your site for malicious code and keep your site safe.
- Use a strong password for your WordPress admin area, and change it regularly.
- Don’t install plugins or themes from untrustworthy sources.
- Regularly back up your WordPress site so you can restore it if it becomes infected.
By following these simple tips, you can keep your WordPress website safe from malware infection.
There are a few things users can do to protect their computers from malware while browsing the internet:
- Install and use a reliable anti-virus/anti-malware program: This is probably the most important thing users can do to protect their computers from malware. A good anti-virus/anti-malware program will detect and remove most malware before it can do any damage.
- Keep your operating system and software up-to-date: Many malware programs exploit security vulnerabilities in outdated software to infect computers. By keeping your operating system and software up-to-date, you can close these security holes and make it much harder for malware to infect your computer.
- Be cautious about what you download and run: Only download files from trusted sources, and be careful about what you click on when browsing the internet. Many malware programs are spread through malicious email attachments or links.
- Use a firewall: A firewall can help to protect your computer from malware by blocking incoming connections from untrusted sources.
- Back up your data: If your computer does become infected with malware, you can often restore your data from a backup if you have one. This will help to limit the amount of damage that the malware can do.
We hope this post will help you know about a new JavaScript injection Campaign on WordPress websites that helps hackers to push Remote Access Trojan malware using a fake CloudFlare DDoS protection popup. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/281735.html