Threat actors have been spreading malware facilitating the installation of the RaccoonStealer trojan and NetSupport RAT through phony Cloudflare distributed denial-of-service protection pages displayed in hacked insecure WordPress sites, reports BleepingComputer.
Fake Cloudflare DDoS protection screens have been used to conceal a JavaScript payload, which when clicked would prompt the download of the "security_install.iso" file purporting as a tool needed for evading DDoS verification, a report from Sucuri revealed. Opening the file will show the 'security_install.exe' file that facilitates PowerShell command execution from the debug.txt file, which then results in NetSupport RAT installation and eventually Raccoon Stealer trojan deployment.
Web browser-stored passwords, auto-fill data, cookies, and credit cards have been targeted by Raccoon Stealer since its reemergence in June, noted researchers.
The new malware attacks should prompt administrators to inspect their WordPress sites' theme files and implement file integrity monitoring systems to prevent RAT distribution through their sites, researchers added.
