Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.
DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.
Tactics of the scam
These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.
The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.
When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.
The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.
The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.
NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.
As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.
"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.
Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.
