A new malware campaign targets Chrome users

NeoSmart Technologies recently identified a malicious campaign that spreads through legitimate, but compromised, websites:

Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts.

The attacker inserts a javaScript into websites to modify the text rendering on them, which causes the sites to be rendered with scrambled text containing symbols and other random characters.

So if Chrome users come across such websites, the script makes the website unreadable and prompts them to fix the issue by updating their ‘Chrome font pack.’

The prompt window says:

The ‘HoeflerText’ font wasn’t found”

and asks users to download and installs the “Chrome Font Pack

If installed, the application tries to infect the machine with a malware (supposedly a ransomware):

[embed]https://www.virustotal.com/en/file/7e62a5ca20cfb5da90fe7402f413321c9ede7e230e8b4fa2f1a4e516e8ae8e34/analysis/1487439542/[/embed]

Indeed, the malware behavior (ex. disabling ShadowCopies), tend to identify it like a ransomware:

[embed]https://sandbox.deepviz.com/report/hash/6fc30d8a8d354f2a8128874cf84d0353/[/embed]

For more technical info, please refer to the original article:

[embed]https://neosmart.net/blog/2017/beware-of-this-new-chrome-font-wasnt-found-hack/[/embed]