Sodinokibi ransomware spreads through fake forums on WordPress sites

Sodinokibi ransomware operators distribute it through fake forums. To do this, they hack WordPress sites and embed JavaScript code that displays posts from the fake Q & A forum on top of the original site’s content.

Messages contain an alleged “response from the administrator” of the site with an active link to the installer of the ransomware program.

According to the recent publication in BleepingComputer, attackers hack sites and embed a JS script in HTML code. The embedded URL will be active for all visitors, but will only work if the user visits the site for the first time or has not visited the site for a certain period of time.

Read also: Android malware with 1.5 million downloads secretly clicked on ads from users

If it is a first time of visit on a site, will appear a fake message from the Q & A forum, which will be displayed over the contents of the web portal.

The user will not suspect anything, since the fake message on the forum is related to the contents of the hacked page.

“To the user, the above looks like the normal site as the content of the fake forum post is related to the content of the hacked page, but in reality is just an overlay created by the script”, — reports BleepingComputer.

If the user refreshes the page again, the script will not work and the usual content of the resource will be displayed instead.

However, if the user does not refresh the page, he will see a question supposedly from another visitor and the administrator’s response with an active link.

“Hello, I am looking to download letter of termination contract photocopier model. A friend told me he was on your forum. Can you help me?” In response to the question, a fake answer will be provided by the Admin that provides a direct link to the sought after contract. “Here is a direct download link, model letter of termination contract photocopier.”

Clicking on the link will download the zip archive from another hacked site. The file contains obfuscated code that downloads a large amount of data from a remote server, which after decryption is stored on the computer as a GIF file.

The file contains a slightly obfuscated PowerShell command used to download Sodinokibi ransomware.

During the encryption process, attackers delete shadow copies of the file and indicate the ransom requirements and information on how to acquire the decryptor in the attached note.To protect yourself from an attack like this, be sure to have some sort of security software installed with real-time protection and never execute files that end with the .js extension.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button