Beware: Hackers Exploit Fake Cloudflare Verification Screens to Distribute Malware
Cybercriminals are now deploying a deceptive Cloudflare verification screen to lure users into installing malicious software. This attack is alarmingly convincing, employing sophisticated social engineering tactics to deceive unsuspecting individuals simply trying to access their favorite websites.
With millions of websites relying on Cloudflare, users are often familiar with its verification page, making it easier for attackers to convince them that this fraudulent page is authentic.
This malware campaign was uncovered and thoroughly analyzed by Shaquib Izhar, who has shared insightful details on his LinkedIn profile.
Understanding the Attack Mechanism
The counterfeit page closely resembles a legitimate Cloudflare “verification” screen, prompting users to confirm their humanity before granting access to a website. However, instead of verifying identity, this deceptive page initiates a hidden attack. When users click the “Verify” button, it discreetly copies malicious PowerShell code to their clipboard.
Next, users are prompted to complete another fake verification step, while the page simultaneously captures their IP address and begins logging keystrokes. This phase includes a request to open the Windows Run prompt. When users do this and paste the copied code into the Run prompt, pressing enter triggers another PowerShell command that fetches a Base64-encoded payload from pastesio[.]com.
This payload subsequently downloads and executes a .BAT file from axiomsniper[.]info. Notably, this file includes a mechanism to detect if it’s being executed in a virtual machine. If detected, the malware will exit to avoid detection; otherwise, it continues to install additional harmful software onto the system.
This .BAT file currently has zero detections on VirusTotal, intensifying the threat it poses.
In my research, I stumbled upon a several-month-old Reddit thread discussing similar concerns. It appears that Sucuri has also published a comprehensive article detailing how attackers are targeting WordPress websites to present this fraudulent verification page to their visitors.
The Significance of This Threat
This counterfeit page appears trustworthy due to its imitation of a widely recognized security service (Cloudflare) and employs advanced evasion tactics to avoid detection by antivirus software. It only activates when users engage with it, complicating detection efforts by security tools. Experts believe this is one of the more sophisticated campaigns seen recently due to its clever manipulation of user trust.
This attack leverages social engineering and a seemingly reliable interface to mislead users. Most individuals would never suspect that a Cloudflare verification screen could be fraudulent, amplifying the risk associated with this malware. The malware is engineered to be incredibly stealthy, making it a significant threat to users.
Protect Yourself Against This Threat
If you encounter a CAPTCHA-style screen requesting you to verify your humanity, take a moment to assess the situation before clicking. Always verify the domain name to ensure the site is legitimate. If anything seems amiss, close the page immediately.
Avoid pasting or executing unknown commands from your clipboard. Employ security software that detects suspicious behavior rather than just known viruses. Moreover, refrain from downloading files or entering sensitive information on websites that appear questionable.
