Sucuri researchers have discovered an increase in fake distributed denial-of-service (DDoS) protection popups tricking WordPress users into downloading remote access trojan malware.
The researchers said many web users are so accustomed to these browser checks that they typically do not think twice before clicking on the prompt.
“However, the prompt actually downloads a malicious .iso file onto the victim’s computer,” Sucuri said.
The .iso file contains a verification code, which users must enter to continue to the website.
Sucuri said the file is a remote access trojan flagged as malicious by 15 security vendors, including AVG, Fortinet, and Tencent.
“Remote Access Trojans (RATs) are regarded as one of the worst types of infections that can affect a computer as it gives the attackers full control over the device,” Sucuri said.
Malwarebytes Jerome Segura told Sucuri the malicious software is a NetSupport remote access tool (RAT) typically used to check victims before a ransomware rollout.
He said the .iso file contains a shortcut disguised as an executable that runs PowerShell from another text file, installing the RaccoonStealer password-stealing trojan and dropping malicious payloads.
RaccoonStealer harvests victims’ passwords, saved credit card information, auto-fill data, and cookies. It can also take screenshots of victims’ desktops and perform file extraction.
RaccoonStealers targeted applications include Outlook, Thunderbird, Chrome, Microsft Edge, and cryptocurrency applications like Exodus and Monero.
“The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious “slave” network, extort the computer owner, and violate their privacy,” Sucuri said.
Sucuri advised website owners to keep their software up to date, use strong passwords, use two-factor authentication and a firewall, and employ file integrity monitoring.
The researchers recommended that website visitors use two-factor authentication on all important logins, ensure their computer has an antivirus, and use a script blocker in their browsers.