In this post, I will discuss the most realistic phishing popup that I’ve seen in years. These popups appear only on WordPress websites that use Cloudflare and can easily be mistaken with the original Cloudflare’s “sorry you have been blocked” screen.
The post is divided in two sections:
- Analysis of the malware and malicious code
- Malware Removal and Hardening WordPress website
Analysis of the malware and malicious code
Malicious code used on this particular website is available on GitHub: https://github.com/stefanpejcic/wordpress-malware/
Phishing popups are blocking access to a compromised WordPress website that is using Cloudflare.
But when a user clicks on the “Check the system” button it downloads malware CloudCK_st.zip
When extracted this .zip file contains:
info.txt file contains this message:
ccme_ecc.dll does a few things:
CloudSystemCheck.exe is signed with the name “Rare Ideas, LLC” – the development company behind portableapps.com
The certificate is expired and this guide from FreeFixer explains in detail how to check if the signature is OK: Rare Ideas, LLC – 0.064% Detection Rate *
I’ve discussed many times how to remove malware from WordPress websites and this malware doesn’t require any extra steps, so make sure to read How to clean up a hacked WordPress site (Complete Guide)
I also recently posted How to hide a plugin from the WordPress plugins list which is exactly what these malicious “plugins” are doing, so make sure to browse the files manually.
The malicious code is currently saved on Github because I was unable to find the time to decode and analyze it. I may do so in the future.