News

Sodinokibi ransomware spreads through fake forums on WordPress sites

Sodinokibi spreads through fake forums. Its operators hack WordPress sites and embed JavaScript code that displays posts from the fake Q&A forum on top of the original site’s content.

Messages contain an alleged “response from the administrator” of the site with an active link to the installer of the ransomware program.

According to the recent publication in BleepingComputer, attackers hack sites and embed a JS script in HTML code. The embedded URL will be active for all visitors, but will only work if the user visits the site for the first time or has not visited the site for a certain period of time.

If it is a first time of visit on a site, will appear a fake message from the Q&A forum, which will be displayed over the contents of the web portal.

The user will not suspect anything, since the fake message on the forum is related to the contents of the hacked page.

“To the user, the above looks like the normal site as the content of the fake forum post is related to the content of the hacked page, but in reality is just an overlay created by the script”, — reports BleepingComputer.

If the user refreshes the page again, the script will not work and the usual content of the resource will be displayed instead.

However, if the user does not refresh the page, he will see a question supposedly from another visitor and the administrator’s response with an active link.

“Hello, I am looking to download letter of termination contract photocopier model. A friend told me he was on your forum. Can you help me?”

In response to the question, a fake answer will be provided by the Admin that provides a direct link to the sought after contract.

“Here is a direct download link, model letter of termination contract photocopier.”

Clicking on the link will download the zip archive from another hacked site. The file contains obfuscated code that downloads a large amount of data from a remote server, which after decryption is stored on the computer as a GIF file.

The file contains a slightly obfuscated PowerShell command used to download Sodinokibi ransomware.

Read also: Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

During the encryption process, attackers delete shadow copies of the file and indicate the ransom requirements and information on how to acquire the decryptor in the attached note.

To protect yourself from an attack like this, be sure to have some sort of security software installed with real-time protection and never execute files that end with the .js extension.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Himalayaview.top Pop-up Ads

About Himalayaview.top Himalayaview.top pop-ups can not launch out of the blue. If you have actually…

8 hours ago

Remove Youdilgad.top Pop-up Ads

About Youdilgad.top Youdilgad.top pop-ups can not expose out of the blue. If you have clicked…

8 hours ago

Remove Alkads.com Pop-up Ads

About Alkads.com Alkads.com pop-ups can not launch out of the blue. If you have clicked…

8 hours ago

Remove Bigamirt.xyz Pop-up Ads

About Bigamirt.xyz Bigamirt.xyz pop-ups can not launch out of nowhere. If you have clicked some…

8 hours ago

Remove Micorban.xyz Pop-up Ads

About Micorban.xyz Micorban.xyz pop-ups can not open out of the blue. If you have actually…

9 hours ago

Remove Msdefender.co.in Pop-up Ads

About Msdefender.co.in Msdefender.co.in pop-ups can not expose out of the blue. If you have actually…

2 days ago