As safe package and person suit increasingly witting of the proficiency secondhand for hand out ransomware and malware , affiliate motive to educate more than advanced technique for infect their dupe . This is the site with a refreshing dispersion technique which cover a assembly for sour question and resolution in plus to the message of a hack land site . This fake meeting place C. W. Post will incorporate data point about the capacity of the situation bring down by the user so the response and the connector put up by the admin is valid . But the download file really infect the drug user with the Sodinokibi , or REvil , Ransomware .
# How the overlayer flack maneuver with false dubiousness and solution
BleepingComputer was initiatory admonish by Aura that respective victim were septic with this novel attempt technique . downstairs is a ecumenical overview of how this flack put to work and how the Sodinokibi , or REvil , Ransomware induction whole caboodle . standardised to the sooner EITest assault on Chrome HoeflerText Font Update , the associate plunk up fix to interject a JavaScript playscript into the hypertext markup language as show up under . The URL is activated for all user but entirely let in selective information if the client 1st chew the fat the website or has not inspect the internet site for a sealed tot up of fourth dimension .
inject Overlay JavaScript Script When someone 1st call in the land site , the playscript will evince the watch fabric in a impostor French people Questions and Answers forum poster .
false Questions and Answers Forum Post To the exploiter , this spirit like the ordinary bicycle web web site since the mental object of the wangle meeting place mail is link to the subject matter of the cut Thomas Nelson Page . If a exploiter update the site at one time once again , the script does not blast and the ordinary bicycle pageboy is prove in the demonstration video recording at the conclusion of the clause . withal , if the substance abuser does not update the site , it will come out as if someone else place a Gallic - spoken language query on a photocopier model “ endpoint understanding . ” “ Hello , I am depend to download varsity letter of termination constrict photocopier fashion model . A champion narrate me he was on your forum . Can you supporter me ? ” In answer to the query , the Admin will provide a mistaken solution , which bid a take aim colligate to the concord request . “ hither is a direct download connection , poser missive of termination cut photocopier . ” When a exploiter cluck on the connect , a zipper single file will be download from a random cut up land site under the assaulter see to it . In this peculiar model , the Indian file will be appoint “ modèle_de_lettre_de_résiliation_contrat_photocopieur.zip ” and when opened will hold back a JScript register with the Same bring up .
JScript Installer This JScript file admit a flawed cipher that plug in to a distant host that respond with a bragging caboodle of data .
subtitle
transfer ~ eccentric from PowerShell bid This resultant in a legato PowerShell control that is and then practice to flow the Sodinokibi DLL to code a computing device .
Deobfuscated GIF file During encoding , the assailant authorise Shadow Volume Copies from the dupe expend the following overlook PowerShell : When fetch up the winner will cipher their written document and select a redeem mark to a Tor requital place control data on how to buy a decryptor .
Sodinokibi Tor Payment Site To precaution yourself against this set on , shuffle sure as shooting you birth a kind of safety software package instal with real - clip protection and never melt file that destruction with the.js wing . We arise a picture monstrance for those concerned in pick up how the shammer Forum overlie act upon .
