// Post Status Notes

Sites hacked with fake CloudFlare DDoS alerts infected with RATs

Remote Access Trojans (RATs) are new to me β€” apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites.

Ben Martin at Sucuri explains “a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware” in an .ISO file named security_install.iso.

Bill Toulas at BleepingComputer says additional scripts “will download the Raccoon Stealer password-stealing trojanΒ and launch it on the device.”

PC Magazine notes That’s only going to happen if the user complies with “an additional pop-up window [from the compromised WordPress site] that asks the user to install the ISO file to obtain a verification code.”

This isn’t entirely or even foremost a WordPress security issue. Moderately technically informed users probably don’t need any warnings about deceptive attacks like this, which seemsto prey on the less well-informed.

Toulas recommended “enabling strict script blocking settings” on your browser, which of course “will break the functionality of almost all sites.” (That made me laugh.)

There’s not a lot that can be done, practically speaking, about the problem of users with admin credentials who might download and mount a disk image full of malware. As I understand it, that’s always been a fundamental problem with Windows as opposed to *nix and MacOS.