Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chrome Users Targeted in Malware Campaign

A recently observed malware distribution campaign has been specifically devised to target users of the Chrome browser on Windows-based computers, Proofpoint security researchers warn.

A recently observed malware distribution campaign has been specifically devised to target users of the Chrome browser on Windows-based computers, Proofpoint security researchers warn.

The campaign uses the infamous EITest infection chain, which has been previously associated with numerous exploit kit attacks leading to ransomware, information stealers, and other malware. First documented in 2014, EITest has seen numerous changes, and the switch to more targeted attacks instead of relying on exploit kits for infection is one of them.

The newly observed attack change was first noticed in December, when a compromised website was dropping the “Chrome_Font.exe” file onto visitors’ computers. The site, Proofpoint discovered, was EITest-compromised, and was dropping the file only after a series of filtering mechanisms were triggered.

The attack, security researchers found out, was targeting Chrome for Windows users specifically. As soon as the visitor was determined to use this browser, the code injected in the page would make text unreadable, and a fake alert was displayed, prompting the user to download and install a file supposedly containing new fonts.

“The infection is straightforward: if the victim meets the criteria – targeted country, correct User-Agent (Chrome on Windows) and proper referer – the script is inserted in the page and rewrites the compromised website on a potential victim’s browser to make the page unreadable, creating a fake issue for the user to resolve,” Proofpoint researcher Kafeine explains.

The website, however, would attempt to infect Internet Explorer users as well. As long as they met specific criteria, they were exposed to a more “classic” exploit kit attack, the researcher notes.

The attack on Chrome users relied on storing all the data between HTML tags in an array, then replacing them with “&#0”. Because this is not a proper ISO character, the browser would display the replacement character � instead.

A fake alert displayed in the browser would prompt users to install an updated font pack to view the content of the page. The victim was told that the specific font (“HoeflerText,” in Proofpoint’s example) wasn’t found, and that the user should install the update immediately. The fake alert can’t be closed using the “x” button and malware is executed when the user approves the so called update.

Proofpoint suggests that the campaign was launched on December 10, 2016 and says that the “Chrome_Font.exe” file that users are tricked to install is in fact the ad fraud malware known as Fleercivet.

The malware spreads in affiliate mode, with its affiliate initially seen on underground markets as “Simby,” until they disappeared in early 2015, only to reappear later that year as “Clicool.” Upon infection, the malware causes the computer to browse the Internet in the background, on its own.

The new campaign, Kafeine says, is important because the new patch added to the EITest compromise chain combines social engineering with the targeting of Chrome users (different paths have been added to the EITest before, such as the redirection to an Android “Police” Browser locker spotted in December 2014.).

“Because actors are finding it more difficult (and therefore less profitable) to achieve conversions (i.e., malware installations) via exploit kit, they are turning to new strategies. As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves, this time via selective injects into websites that create the appearance of problems along with the offer of fake solutions,” Proofpoint’s researcher concludes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...