Fake Cloudflare CAPTCHA Malware in WordPress Environments

WordPress sites are displaying fake Cloudflare CAPTCHA prompts (e.g., “Human Verification Required” or “Unusual Traffic Detected”) that do not originate from Cloudflare. Upon interaction (e.g., clicking “Verify“), users are redirected to phishing sites, scam pages, or domains hosting malware. This often results in browser hijacking, data theft, or secondary infections. The malware persists in site files, surviving updates if not fully removed, and can spread via fake plugins or themes embedded in legitimate ones.

• Primary Classification: Obfuscated JavaScript Redirect Malware with Social Engineering Elements.
• Delivery Method: Injected into WordPress files (e.g., themes like functions.php, plugins, or hidden directories like themes inside plugins).
• Behavior:
  • Decodes base64-encoded malicious domains from query parameters.
  • Modifies site links (e.g., home link) to redirect to fake CAPTCHA pages on attacker-controlled domains.
  • Uses Cloudflare’s branding to build trust, prompting users to “verify” via clicks or commands, leading to redirects or malware downloads.
• Variants: Includes “ClickFix” attacks mimicking Cloudflare Turnstile, serving bogus DDoS CAPTCHA pages that coerce users into running terminal commands or enabling exploits.
• Impact: High – Affects site SEO, user trust, and can lead to full site compromise or visitor infections. Often part of broader campaigns targeting WordPress vulnerabilities like unpatched plugins.

The provided code is a heavily obfuscated JavaScript snippet typical of this malware family. It employs multiple layers of obfuscation, including function renaming, hexadecimal offsets, and self-referential deobfuscators to evade detection. Below is a step-by-step breakdown:

1. Obfuscation Techniques

• Function Renaming and Offsets: Functions like _0x3166 act as a string table accessor, using offsets (e.g., _0x52513c – 0x1295) to retrieve strings from an array (_0x59b3() returns a large array of encoded strings).
• Self-Deobfuscators: Nested functions (e.g., _0x3a585a, _0x133dd3, _0x5ccb89, _0x1795c6) use try-catch loops and constructors to build and execute dynamic code, avoiding static analysis.
• Base64 and Encoding Layers: The core payload involves decoding base64 strings with additional replacements (e.g., + to space via replace(/\+/g, ‘\x20’) and decodeURIComponent(escape(atob(input)))).
• Anti-Debugging: Constructs like while(!![]) with parseInt calculations create infinite-loop-like structures that resolve to break conditions, hiding the main logic.

2. Key Components

• String Table (_0x59b3()): Returns an array of obfuscated strings (e.g., encoded function names like ‘constructor’, ‘return’, ‘prototype’). This is deobfuscated dynamically.
• Deobfuscation Loop: The initial anonymous function shifts an array (_0x3059cd) until a computed value (_0x43daec) matches a target, building the deobfuscated code.
• decodeFromBase64 Function:
  • Takes a base64 input (_0x31f695).
  • Applies multiple transformations: atob for base64 decode, escape for URL encoding, decodeURIComponent for final decoding.
  • Handles replacements like replace(/\+/g, ‘\x20’) to fix encoded spaces.
  • Output: A decoded string (likely a malicious domain).
• getQueryParams Function:
  • Parses window.location.search for parameters.
  • Looks for ?domain=base64_string.
  • Decodes the ‘domain’ param using decodeFromBase64.
• Main Payload Execution:
  • If a decoded domain exists, it targets the site’s “home link” (e.g., logo or home button via getElementById(‘homeLink’)).
  • Sets the link’s href to https://decoded_domain/?verified=true.
  • Adds a click event listener to prevent default navigation and force a full redirect (window.location.replace).
  • This creates the illusion of a CAPTCHA verification, redirecting to a fake Cloudflare page on the malicious domain.

3. Decoded Behavior

• The malware checks for a query parameter like ?domain=encoded_malicious_domain.
• Decodes it to something like malicious.com.
• On site load, hijacks navigation links to redirect to https://malicious.com/?verified=true.
• The fake CAPTCHA page (hosted on the malicious domain) may prompt users to “verify” by clicking, running commands (e.g., PowerShell scripts for Windows malware), or enabling browser features, leading to infections like info-stealers or ransomware.

This matches known variants from Sucuri and TechRadar reports, where malware serves bogus Cloudflare DDoS CAPTCHAs to deliver payloads.

The malware is commonly injected into WordPress themes (e.g., functions.php), plugins, or fake directories (e.g., themes inside plugins like plugins/plugin-name/theme-fake/). Follow these steps:

1. Backup and Isolate: Create a full site backup (files + database) and work on a staging site to avoid live disruptions.
2. Scan for Infections:
   • Use tools like Wordfence, Sucuri SiteCheck, or Malwarebytes to scan files.
   • Manually inspect: Check wp-content/themes/, wp-content/plugins/, and unusual subfolders (e.g., themes in plugins).
   • Look for obfuscated JS in .php files (e.g., base64 blobs or eval() calls).
3. Remove Malicious Files:
   • Delete infected themes/plugins. Replace with clean versions from official sources.
   • Common locations: Fake plugins (e.g., wp-cache clones), themes in plugins (e.g., plugins/akismet/twenty-twenty/ with injected JS).
   • Remove any hidden .php or .js files with obfuscated code.
4. Database Cleanup: Scan wp_options and wp_posts for injected scripts (e.g., base64 in serialized data). Use plugins like WP Security Audit Log.
5. Update and Secure:
   • Update WordPress core, themes, and plugins to the latest versions.
   • Change all passwords (WP admin, FTP, database).
   • Enable 2FA and harden security (e.g., via .htaccess rules, disable file editing in WP).
   • Install security plugins (e.g., Wordfence) for real-time monitoring.
6. Verify and Monitor: Clear caches, test site functionality, and monitor logs for redirects. Use Cloudflare’s actual CAPTCHA if needed, but confirm it’s legitimate.