Cybersecurity experts at Sucuri recently discovered that hackers are using WordPress websites to spread a dangerous type of malware known as the ClearFake Trojan.
According to researchers, this malware is created with the intention of deceiving users into unknowingly installing harmful software on their computers.
Some of the consequences of falling victim to this malware can be quite severe, potentially resulting in ransomware attacks and other detrimental outcomes.
The attack starts with a fake error message that appears when users visit an infected website.
The message states that there is a problem with the webpage display and advises users to install a “root certificate” as a solution.
Then the prompt offers a button labeled “Fix it,” which, when clicked, leads to additional instructions that may appear technical and perplexing.
This is the first sign that something is wrong. The term “root certificate” might sound official, but legitimate websites do not ask users to install these.
The scammers rely on people not questioning these instructions and following them blindly.
When the user clicks the “How to fix” button, the instructions become more complex and detailed.
The user is instructed to open Windows PowerShell, a robust system management tool, and execute specific commands. These steps are intended to download and install malware without the user's awareness.
Once installed, the malware reaches out to a remote server to download a malicious file named “zilla.exe.”
This file is a Trojan, a type of malware that disguises itself as something harmless but is designed to steal sensitive information or cause other damage.
The hackers used a GitHub account to host the malicious file, which had been in operation for approximately six months prior to being reported.
Security researchers found that this attack is part of a broader campaign known as ClearFake.
It often leads to further infections, including ransomware attacks, which can lock users out of their files until they pay a ransom.
The hackers managed to insert the fake pop-up directly into the main index.php file of the WordPress website, which is an important part of how WordPress sites operate.
The malware was made adaptable by translating the pop-up message into 42 different languages, making it easily understandable for users worldwide.
The message will be displayed in the victim's native language, regardless of their location, which adds to its influence.