Fake DDoS protection pages on compromised WordPress sites contain malware

Recently cybersecurity researchers spotted JavaScript injections targeting WordPress websites to display fake DDoS Protection pages which lead people to download remote access malware.

Unfortunately, attackers have begun leveraging these familiar security assets in their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup.

The page above requests that the visitor clicks on a button to bypass the DDoS protection and visit the website.

Upon opening the file, the image file is mounted and its content is shown to the visitors. The mounted drive contains a file called security_install.exe, which is actually a Windows shortcut that runs a PowerShell command contained in the debug.txt file in the same drive.

Launching the security_install.exe, the infection chain starts while a fake DDoS code is displayed.

This causes a chain of scripts to run that display the fake DDoS code needed to view the site. The process leads to the installation of the NetSupport RAT remote access trojan.

Website owners are recommended to:

Keep all software on your website up to date,
Use strong passwords,
Use 2FA on your administrative panel,
Place your website behind a firewall service.

Recently, the notorious LockBit hacker group has claimed responsibility for the June ransomware attack on digital security giant Entrust.