Threat actors are targeting unprotected WordPress sites in an effort to deploy Raccoon Stealer and the NetSupport Remote Access Trojan (RAT). Visitors of the affected sites will be greeted with what appears to be a DDoS protection screen, something that most internet users are familiar with. An option to bypass the protection screen is available to the user, but instead of simply getting rid of the screen, an ISO file is downloaded. After that download is complete and the file is opened, users are presented with an additional file, security_install[.]exe, that executes a PowerShell command that downloads the malware and installs it on the system.
Analyst Notes
It is advised that site administrators check the theme files of WordPress sites, as they are often used as the infection tactic in campaigns. Employing file integrity monitoring systems to catch JavaScript injections as soon as they occur is highly recommended as well. Enabling script blocking settings will also provide an added layer of protection.
https://cyware.com/news/wordpress-sites-compromised-to-display-fake-ddos-alerts-785b242b
