Jump to content

Fake Chrome & Firefox Font Update Drops RAT and Locky Ransomware


Recommended Posts

Sept 7,2017


Google Chrome with 2 billion active users is the most used web browser in the world. At the same time, Firefox has over 1 billion active users making these two perfect and lucrative targets for hackers and cyber criminals.


Recently, Brad Duncan, an IT security researcher discovered a campaign called “EITest” targeting unsuspecting Chrome users that end up delivering RAT malware on a targeted Windows device.


EITest campaign was first discovered back in 2016 infecting users with ransomware like Mole and Spora by tricking users into downloading “fake Google Chrome missing font” through pop ups on compromised WordPress websites. But since August 2017, the campaign has made some changes as it aims at distributed NetSupport Manager remote access tool (RAT).


In the latest campaign, the distribution method for the malware remains that same; i.e., through compromised websites, the malicious code is disguised, and as the victims try to modify the text, the malware gets installed on the computer.


Once a user visited the compromised site, it comes up with a popup message stating that the website is only viewable in “Hoefler Text” font which can be installed by clicking the “update” tab. As shown in the screenshot below the pop-up states: “The HoeflerText font wasn’t found. The webpage you are trying to load is displayed incorrectly, as it uses the “Hoefler Text” font. To fix the error and display the text, you have to update the “Chome Font Pack.”




Upon clicking the “update” tab, a file with the name of “Chrome_Font.exe” is downloaded on the victim’s computer which installs NetSupport Manager remote access tool (RAT), a publicly available software previously used in October 2016 for hacking Steam gaming accounts.


Network traffic follows two distinct paths. Victims who use Microsoft Internet Explorer as their web browser will get a fake anti-virus alert with a phone number for a tech support scam. Victims using Google Chrome as their browser will get a fake HoeflerText popup that offers malware disguised as Font_Chrome.exe, writes Brad Duncan.




In a separate blog post, Duncan wrote that he also discovered exactly the same malware campaign which is being distributed through email but the bait is Dropbox and its target is Firefox users.


The cybercriminals are sending emails to unsuspecting users and tricking them into clicking on a link claiming it’s from Dropbox and they need to verify their email, but in reality, it takes users on a fake Dropbox page hosting on a compromised Russian website.




Upon visiting the compromised domain, Duncan noted the similar “Hoefler Text” font download pop-up. However, clicking on the Update tab, he received a JavaScript file named Win.JSFontlib09.js. That JavaScript file is designed to download and install Lukitus, a variant of Locky ransomware.




Locky is one of the most dangerous ransomware programs known for targeting healthcare industry and law firms etc. Just a few days ago, it was reported that Locky ransomware strain targeted US based users with over 23 million infected emails which are quite intriguing and sophisticated based on the number of emails sent.


If you are using Chrome, Firefox or any other web browser, it is highly advised never to open an unknown email, don’t click links in an unknown email and never download attachments from an email you are not familiar with. Also, there is no need to update Chrome or Firefox font pack at all as there is no issue with them and in case you visit a site showing similar update pop up you know what to do.


Link to comment
Share on other sites

  • Replies 0
  • Views 1.1k
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...