Attackers hack WordPress sites and create fake forums to distribute Sodinokibi ransomware
- This fake Q&A forum post contains an answer from the site's admin along with a malicious link.
What is the problem?
The detailed picture
This fake forum post will contain information related to the content of the page that the user is visiting, to make it look legitimate.
- The injected URL will be active to all visitors, but will only contain data if the user is visiting for the first time or has not visited the site for a certain amount of time.
- For those first time visitors, the injected script will display a fake French Question and Answers forum post over the content.
- This fake Q & A forum post contains an answer from the site's admin along with a link.
- Upon clicking on the link, a zip file will be downloaded from a random hacked site.
- The Zip file contains a JScript file, which includes an obfuscated code that will connect to a remote server.
- The server responds with data, which will be decrypted and saved as a GIF file.
- This GIF file contains an obfuscated PowerShell command that downloads and executes the Sodinokibi ransomware on the victims’ computer.
- Upon execution, Sodinokibi ransomware encrypts files, delete shadow copies, and drops a ransomware note.
- The ransomware note leads the victims to a Tor payment site that contains instructions on how to purchase a decryptor.
BleepingComputer has also created a demonstration video that explains how this attack method works.