BleepingComputer Founder Lawrence Abrams warned that Sodinokibi ransomware operators are using a very sophisticated method to distribute their malware. So, they create fake Q&A forums on hacked WordPress sites, and then post fake messages there, disguised as admin responses and containing links to download malware.
In fact, the criminals use a fake overlay that places a forum with questions and answers on top of the content of the hacked site. As a result, the fake forum post contains information that is actually about the content of the page the user is visiting. This gives the impression that the answer and link posted by the “admin” are legitimate.
So, if the victim came to the site for the first time, the script will cause the appearance of a fake a message in French that will be displayed over the content of the site. Moreover, if the user refreshes the page again, the script will not be run, and only the normal page will be displayed. A video demonstrating the attack can be seen below.