Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fake Chrome Font Update Attack Distributes Ransomware

A malware campaign targeting Chrome users with fake font update notifications is now distributing ransomware instead of ad fraud malware, researchers have discovered.

A malware campaign targeting Chrome users with fake font update notifications is now distributing ransomware instead of ad fraud malware, researchers have discovered.

The malicious campaign, supposedly launched for the first time on December 10, 2016, was initially observed dropping the Fleercivet ad fraud malware, as Proofpoint security researcher Kafeine revealed a couple of weeks ago. The campaign tied to the EITest compromise chain, which has been around for some time, mainly associated with exploit kit activity.

The campaign stood out because it was targeting Chrome for Windows users with clever social engineering tactics: code injected into compromised websites would fingerprint visitors and, if certain criteria were met, it would make the text on the page look unreadable while also displaying a fake alert informing users they needed to install a font pack update to properly view content.

Victims were told that the browser couldn’t find the font needed to properly display the page and that the update should be installed immediately. Users were prevented from closing the fake alert via the “x” button, and the malware would immediately start installing in the background if the user approved the update.

Recently, the campaign has seen some changes, with the final payload replaced with the Spora ransomware, Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, reveals. The infection mechanism, however, remained the same: a fake Chrome popup appears when visiting an infected website and the user installs malware masquerading as a legitimate font update.

The final payload is no longer delivered under the name “Chrome_Font.exe,” but “Update.exe” is used instead. The same as before, however, the file has malicious intent: it installs a piece of ransomware (Spora) that encrypts users’ data and holds it for ransom.

The Spora ransomware emerged last month as one of the most powerful threats in its category. Although new, the malware packed well-implemented encryption procedures, a well-designed payment site, and provided victims with several “packages” to choose from, all of which made researchers believe the threat was the offspring of professionals.

Leveraging Windows CryptoAPI for encryption, the malware uses a mix of RSA and AES and a complex key generation operation that allows it to encrypt files without access to a command and control (C&C) server. What’s more, the encryption process was found to be strong enough to ensure that a decryption tool destined for one victim would not work for another.

Related: Chrome Users Targeted in Malware Campaign

Related: Powerful “Spora” Ransomware Lets Victims Pay for Immunity

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.