BleepingComputer Founder Lawrence Abrams warned that Sodinokibi ransomware operators are using a very sophisticated method to distribute their malware. So, they create fake Q&A forums on hacked WordPress sites, and then post fake messages there, disguised as admin responses and containing links to download malware.
In fact, the criminals use a fake overlay that places a forum with questions and answers on top of the content of the hacked site. As a result, the fake forum post contains information that is actually about the content of the page the user is visiting. This gives the impression that the answer and link posted by the “admin” are legitimate.
Abrams writes that the new Sodinokibi distribution method was first noticed by an information security expert known by the pseudonym 
Aura. The actions of the attackers are similar to the old attack technique HoeflerText. The essence of this technique is reflected in its name: the user is shown a pop-up message and is offered to download the HoeflerText font package. Allegedly, without this, it is impossible to view the landing page. In the case of Sodinokibi, the attackers also inject JavaScript into HTML on hacked sites, as shown in the illustration below. Moreover, the embedded URL will be active for all visitors, but contains data only if the user visits the site for the first time or has not visited the resource for a certain period of time.
So, if the victim came to the site for the first time, the script will cause the appearance of a fake a message in French that will be displayed over the content of the site. Moreover, if the user refreshes the page again, the script will not be run, and only the normal page will be displayed. A video demonstrating the attack can be seen below.
The specialist warns that to protect against such attacks, you should take care to use security software, and also never execute files that end in the .js extension.
