Remote Access Trojans (RATs) are new to me — apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites.
Bill Toulas at BleepingComputer says additional scripts “will download the Raccoon Stealer password-stealing trojan and launch it on the device.”
PC Magazine notes That’s only going to happen if the user complies with “an additional pop-up window [from the compromised WordPress site] that asks the user to install the ISO file to obtain a verification code.”
This isn’t entirely or even foremost a WordPress security issue. Moderately technically informed users probably don’t need any warnings about deceptive attacks like this, which seemsto prey on the less well-informed.
Toulas recommended “enabling strict script blocking settings” on your browser, which of course “will break the functionality of almost all sites.” (That made me laugh.)
There’s not a lot that can be done, practically speaking, about the problem of users with admin credentials who might download and mount a disk image full of malware. As I understand it, that’s always been a fundamental problem with Windows as opposed to *nix and MacOS.