A malware campaign targeting Chrome users with fake font update notifications is now distributing ransomware instead of ad fraud malware, researchers have discovered.
The malicious campaign, supposedly launched for the first time on December 10, 2016, was initially observed dropping the Fleercivet ad fraud malware, as Proofpoint security researcher Kafeine revealed a couple of weeks ago. The campaign tied to the EITest compromise chain, which has been around for some time, mainly associated with exploit kit activity.
The campaign stood out because it was targeting Chrome for Windows users with clever social engineering tactics: code injected into compromised websites would fingerprint visitors and, if certain criteria were met, it would make the text on the page look unreadable while also displaying a fake alert informing users they needed to install a font pack update to properly view content.
Victims were told that the browser couldn’t find the font needed to properly display the page and that the update should be installed immediately. Users were prevented from closing the fake alert via the “x” button, and the malware would immediately start installing in the background if the user approved the update.
Recently, the campaign has seen some changes, with the final payload replaced with the Spora ransomware, Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, reveals. The infection mechanism, however, remained the same: a fake Chrome popup appears when visiting an infected website and the user installs malware masquerading as a legitimate font update.
The final payload is no longer delivered under the name “Chrome_Font.exe,” but “Update.exe” is used instead. The same as before, however, the file has malicious intent: it installs a piece of ransomware (Spora) that encrypts users’ data and holds it for ransom.
The Spora ransomware emerged last month as one of the most powerful threats in its category. Although new, the malware packed well-implemented encryption procedures, a well-designed payment site, and provided victims with several “packages” to choose from, all of which made researchers believe the threat was the offspring of professionals.
Leveraging Windows CryptoAPI for encryption, the malware uses a mix of RSA and AES and a complex key generation operation that allows it to encrypt files without access to a command and control (C&C) server. What’s more, the encryption process was found to be strong enough to ensure that a decryption tool destined for one victim would not work for another.