wp-admin » ⚠️ Cloudflare phishing popup that downloads malware

⚠️ Cloudflare phishing popup that downloads malware

In this post, I will discuss the most realistic phishing popup that I’ve seen in years. These popups appear only on WordPress websites that use Cloudflare and can easily be mistaken with the original Cloudflare’s “sorry you have been blocked” screen.

The post is divided in two sections:

  • Analysis of the malware and malicious code
  • Malware Removal and Hardening WordPress website

Analysis of the malware and malicious code

Malicious code used on this particular website is available on GitHub: https://github.com/stefanpejcic/wordpress-malware/

Phishing popups are blocking access to a compromised WordPress website that is using Cloudflare.

chrome RC4m0OzIHR 1024x517 - ⚠️ Cloudflare phishing popup that downloads malware

But when a user clicks on the “Check the system” button it downloads malware CloudCK_st.zip

sdp 1024x519 - ⚠️ Cloudflare phishing popup that downloads malware

When extracted this .zip file contains:

image 3 - ⚠️ Cloudflare phishing popup that downloads malware

info.txt file contains this message:

image 4 - ⚠️ Cloudflare phishing popup that downloads malware

ccme_ecc.dll does a few things:

image 5 - ⚠️ Cloudflare phishing popup that downloads malware

CloudSystemCheck.exe is signed with the name “Rare Ideas, LLC” – the development company behind portableapps.com

The certificate is expired and this guide from FreeFixer explains in detail how to check if the signature is OK: Rare Ideas, LLC – 0.064% Detection Rate *

image 6 - ⚠️ Cloudflare phishing popup that downloads malware

Malware Removal

I’ve discussed many times how to remove malware from WordPress websites and this malware doesn’t require any extra steps, so make sure to read How to clean up a hacked WordPress site (Complete Guide)

I also recently posted How to hide a plugin from the WordPress plugins list which is exactly what these malicious “plugins” are doing, so make sure to browse the files manually.

image 7 1024x486 - ⚠️ Cloudflare phishing popup that downloads malware

The malicious code is currently saved on Github because I was unable to find the time to decode and analyze it. I may do so in the future.

See also  What is 🔀💻 Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.

Recommended