The ‘HoeflerText’ font wasn’t found? Beware, it’s a trap!

A new malware campaign targets Chrome users

NeoSmart Technologies recently identified a malicious campaign that spreads through legitimate, but compromised, websites:

Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts.

The attacker inserts a javaScript into websites to modify the text rendering on them, which causes the sites to be rendered with scrambled text containing symbols and other random characters.

So if Chrome users come across such websites, the script makes the website unreadable and prompts them to fix the issue by updating their ‘Chrome font pack.’

The prompt window says:

The ‘HoeflerText’ font wasn’t found”

and asks users to download and installs the “Chrome Font Pack

If installed, the application tries to infect the machine with a malware (supposedly a ransomware):

Indeed, the malware behavior (ex. disabling ShadowCopies), tend to identify it like a ransomware:

For more technical info, please refer to the original article:

Related posts

  1. RIPlace: a new evasion technique that allows ransomware to bypass most antivirus
  2. CVE-2019-13720: new Chrome 0-day bug exploited in the wild
  3. Meet Graboid, the first cryptojacking worm that spreads using Docker images: how to defend your infrastructure from this new threat?
  4. Win32/StealthFalcon malware uses Windows Background Intelligent Transfer Service (BITS) to communicates to its C&C servers
  5. ‘Agent Smith’ malware has infected Android apps on 25 million devices