BleepingComputer Founder Lawrence Abrams warned that Sodinokibi ransomware operators are using a very sophisticated method to distribute their malware. So, they create fake Q&A forums on hacked WordPress sites, and then post fake messages there, disguised as admin responses and containing links to download malware.
In fact, the criminals use a fake overlay that places a forum with questions and answers on top of the content of the hacked site. As a result, the fake forum post contains information that is actually about the content of the page the user is visiting. This gives the impression that the answer and link posted by the “admin” are legitimate.
Abrams writes that the new Sodinokibi distribution method was first noticed by an information security expert known by the pseudonym
So, if the victim came to the site for the first time, the script will cause the appearance of a fake a message in French that will be displayed over the content of the site. Moreover, if the user refreshes the page again, the script will not be run, and only the normal page will be displayed. A video demonstrating the attack can be seen below.
The specialist warns that to protect against such attacks, you should take care to use security software, and also never execute files that end in the .js extension.