According to the recent publication in BleepingComputer, attackers hack sites and embed a JS script in HTML code. The embedded URL will be active for all visitors, but will only work if the user visits the site for the first time or has not visited the site for a certain period of time.
If it is a first time of visit on a site, will appear a fake message from the Q&A forum, which will be displayed over the contents of the web portal.
The user will not suspect anything, since the fake message on the forum is related to the contents of the hacked page.
“To the user, the above looks like the normal site as the content of the fake forum post is related to the content of the hacked page, but in reality is just an overlay created by the script”, — reports BleepingComputer.
If the user refreshes the page again, the script will not work and the usual content of the resource will be displayed instead.
However, if the user does not refresh the page, he will see a question supposedly from another visitor and the administrator’s response with an active link.
“Hello, I am looking to download letter of termination contract photocopier model. A friend told me he was on your forum. Can you help me?”
In response to the question, a fake answer will be provided by the Admin that provides a direct link to the sought after contract.
“Here is a direct download link, model letter of termination contract photocopier.”
Clicking on the link will download the zip archive from another hacked site. The file contains obfuscated code that downloads a large amount of data from a remote server, which after decryption is stored on the computer as a GIF file.
The file contains a slightly obfuscated PowerShell command used to download Sodinokibi ransomware.
Read also: Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign
During the encryption process, attackers delete shadow copies of the file and indicate the ransom requirements and information on how to acquire the decryptor in the attached note.
To protect yourself from an attack like this, be sure to have some sort of security software installed with real-time protection and never execute files that end with the .js extension.
About News-xbuhoxu.store News-xbuhoxu.store pop-ups can not open out of nowhere. If you have actually clicked…
About News-xbadeyo.today News-xbadeyo.today pop-ups can not introduce out of nowhere. If you have clicked on…
About News-bbutohu.info News-bbutohu.info pop-ups can not open out of nowhere. If you have actually clicked…
About News-bbucoxe.today News-bbucoxe.today pop-ups can not launch out of the blue. If you have clicked…
About News-xdetake.cc News-xdetake.cc pop-ups can not expose out of nowhere. If you have clicked on…
About News-bbufiya.today News-bbufiya.today pop-ups can not expose out of nowhere. If you have clicked some…