Security researcher, Brad Duncan, has recently noticed two different campaigns using “HoeflerText font was not found” pop-ups to spread malware. When a user enters a compromised site, he/she is informed that they need to install an update in order to view the site. This can either lead to RAT (remote access tool) to be installed, or to Locky ransomware. Strangely enough, the first solely affects Google Chrome, and the second one works on only Chrome and Mozilla Firefox.

Fake HoeflerText font update pushes RAT and Locky onto Chrome and Firefox user

Chrome HoeflerText font update spreads RAT malware

For Google Chrome users, when they enter the compromised site, a notification will pop-up and prevent the user from accessing the page. It will explain that the “HoeflerText” font was not found, and that you need to update your “Chrome Font Pack”. Supposedly, the website the user is trying to access uses that particular font, and because it is not installed on the user’s computer, the text cannot be displayed properly. It has the Chrome logo on it, displays Google Inc. as the manufacturer, but does not look remotely legitimate. Unfortunately, a lot of less-experienced users may fall for this, and the consequences may not be pleasant.

Chrome HoeflerText font update spreads RAT malware

If the user pressed the Update button, a “Chrome_Font.exe” file would download onto the computer. When opened, it would install the NetSupport Manager remote access tool. This tool is associated with another malware campaign which led to hacked Steam accounts.

Chrome_Font

The same type campaign was used last year to spread various ransomware, and it is unknown why it is now deploying RAT instead of file-encrypting malware. The tool does not really have a presence, and users might not even notice it being there. If you do encounter it installed, it could be related to some sort of malware activity. It should also be noted that the site which shows the malicious pop-up will only work on Google Chrome. Duncan notes that if an Internet Explorer user was to enter the site, he/she would get a tech-support scam with a phone number instead of the pop-up.

Same type of pop-up leads Firefox and Chrome users to Lukitus ransomware

Duncan also noticed the same type of pop-up in a different campaign. And this one is leading to Lukitus ransomware. If you are not familiar with that name, you might recognize Locky ransomware. That is one of the most infamous file-encrypting pieces of malware, and after some time of being in the shadows, it has reappeared with a new name, Lukitus.

This malware campaign uses fake Dropbox emails to lead users to the ransomware. Victims get an email, from supposedly Dropbox, claiming that they need to verify their email before signup is completed. If you were to press on the ‘Verify your email’ button, they would be taken to a site that displayed the previously mentioned “HoeflerText” pop-up. Note that depending on your browser, you might get a different site. If users were using Internet Explorer or Microsoft Edge to access the linked site, they would be taken to a fake Dropbox site, and nothing would happen. However, Firefox and Chrome users will see the notification.

RAT instead of file-encrypting

If the user presses the Update button, a file named Win.JSFontlib09.js will download onto the computer. According to Duncan, the file will download and install Locky. Once Locky’s inside the victim’s computer, files will be encrypted, and a ransom note will be dropped.

Win-JSFontlib09

As far as elaborate spread methods go, this might not be very effective. And it is not new either. Fake pop-up updates have been used to spread malware before. This particular infection is also very easy to avoid. Just refrain from opening email links and attachments from senders you do not recognize, and do not install extensions without making sure they are safe. A simple Google search would have told you that installing the HoeflerText update would lead to malware. And in any case, no browser will ever ask you to install a font update.

Leave a Reply