Hackers use fake CloudFlare captcha to hide Trojan download

Sucuri is seeing the development of a campaign launched in August aimed at seeding the RAT in conjunction with a drive-by infostealer. Attackers inject JavaScript into WordPress sites, which displays a fake page of the Cloudflare security service and prompts the visitor to download some software to complete the check.

Malicious JavaScript injections are carried out by adding three lines of code to CMS core components, theme or plugin files. The number of sites infected in the course of new attacks is small – less than 1,000; in almost half of the cases, the unsolicited appendage was found in /wp-includes/js/jquery/jquery.min.js.

Previously, this script downloaded the content it needed to work (at the time, a fake Cloudflare DDoS protection warning) from the adogeevent[.]com domain. The new JavaScript variants request different domains, although the IP address remains the same.

Downloadable content has also changed. Now, a potential victim is presented with a CAPTCHA dialogue, supposedly pulled from the Cloudflare server.

Hackers use fake CloudFlare captcha to hide Trojan download

When you enter any value in the specified field (even the correct one), a hint pops up: to gain access to the site, you must complete the verification; if you have any problems, download our software so you don’t waste time on tests anymore.

Clicking on the inserted Download button downloads the .iso file, followed by unpacking the malicious content – CLOUDFLA.EXE or Cloudflare_security_installer.exe. To reinforce the illusion of legitimacy and divert attention, the Google Chrome update process is launched in the system: it is noteworthy that the updater uses the Russian language.

Meanwhile, RAT, the NetSupport remote administration tool favoured by SocGholish ransomware, is being installed into the system in the background. This payload, according to analysts, has remained the same. However, only two dozen antiviruses from the VirusTotal collection (as of September 15) recognize it.

In addition to the RAT, the victim, as before, receives a Racoon infostealer . Jerome Segura from Malwarebytes has a different opinion about the malware – the expert believes that this is an Amadey Trojan with a C2 server in the States. Kaspersky products and some other scanners detect a malicious kit with the verdict “banking Trojan” – it is possible that the infection can result in financial losses.

Sucuri experts recorded a similar attack but using another fake CloudFlare page – a warning about blocking access.

Hackers use fake CloudFlare captcha to hide Trojan download

At the same time, a Trojan file weighing 669.9 MB was offered for download. Apparently, the author of the attack was trying to bypass antiviruses in this way, which usually skip large files due to the size limit. The payload also included a note advising to run the executable, ostensibly to clean the system registry, but then the malware could be detected using behavioural analysis and heuristics.

Analysts also noted the case of hosting a payload on GitLab. The fraudulent account has already been blocked.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts