Attackers hack WordPress sites and create fake forums to distribute Sodinokibi ransomware

• Attackers hack WordPress sites and inject a JavaScript script to display a fake French Question and Answers forum post.
• This fake Q&A forum post contains an answer from the site's admin along with a malicious link.

What is the problem?

The attackers behind the Sodinokibi ransomware are distributing the ransomware by hacking WordPress sites and injecting JavaScript that displays a fake Q&A forum post over the content of the original site.

The detailed picture

This fake forum post will contain information related to the content of the page that the user is visiting, to make it look legitimate.

• Attackers hack WordPress sites and inject a JavaScript script into the HTML page.
• The injected URL will be active to all visitors, but will only contain data if the user is visiting for the first time or has not visited the site for a certain amount of time.
• For those first time visitors, the injected script will display a fake French Question and Answers forum post over the content.
• This fake Q & A forum post contains an answer from the site's admin along with a link.
• Upon clicking on the link, a zip file will be downloaded from a random hacked site.
• The Zip file contains a JScript file, which includes an obfuscated code that will connect to a remote server.
• The server responds with data, which will be decrypted and saved as a GIF file.
• This GIF file contains an obfuscated PowerShell command that downloads and executes the Sodinokibi ransomware on the victims’ computer.
• Upon execution, Sodinokibi ransomware encrypts files, delete shadow copies, and drops a ransomware note.
• The ransomware note leads the victims to a Tor payment site that contains instructions on how to purchase a decryptor.

Worth noting

If a visitor refreshes the page, the injected JavaScript script will not fire and the normal page will be displayed. On the other hand, if the visitor does not refresh the page, the script will display a question, as if another visitor posted the question. Upon which, a fake answer will be provided by the Admin along with a link.

BleepingComputer has also created a demonstration video that explains how this attack method works.