Sodinokibi ransomware spreads through fake forums on WordPress sites

Sodinokibi spreads through fake forums. Its operators hack WordPress sites and embed JavaScript code that displays posts from the fake Q&A forum on top of the original site’s content.

Messages contain an alleged “response from the administrator” of the site with an active link to the installer of the ransomware program.

According to the recent publication in BleepingComputer, attackers hack sites and embed a JS script in HTML code. The embedded URL will be active for all visitors, but will only work if the user visits the site for the first time or has not visited the site for a certain period of time.

If it is a first time of visit on a site, will appear a fake message from the Q&A forum, which will be displayed over the contents of the web portal.

The user will not suspect anything, since the fake message on the forum is related to the contents of the hacked page.

“To the user, the above looks like the normal site as the content of the fake forum post is related to the content of the hacked page, but in reality is just an overlay created by the script”, — reports BleepingComputer.

If the user refreshes the page again, the script will not work and the usual content of the resource will be displayed instead.

However, if the user does not refresh the page, he will see a question supposedly from another visitor and the administrator’s response with an active link.

“Hello, I am looking to download letter of termination contract photocopier model. A friend told me he was on your forum. Can you help me?”

In response to the question, a fake answer will be provided by the Admin that provides a direct link to the sought after contract.

“Here is a direct download link, model letter of termination contract photocopier.”

Clicking on the link will download the zip archive from another hacked site. The file contains obfuscated code that downloads a large amount of data from a remote server, which after decryption is stored on the computer as a GIF file.

The file contains a slightly obfuscated PowerShell command used to download Sodinokibi ransomware.

Read also: Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

During the encryption process, attackers delete shadow copies of the file and indicate the ransom requirements and information on how to acquire the decryptor in the attached note.

To protect yourself from an attack like this, be sure to have some sort of security software installed with real-time protection and never execute files that end with the .js extension.