Chrome Users May be Tricked Into Downloading Ransomware by Fake “Font Update” Campaign

Threat

fake-Chrome-popup-deliver-ransomwareA Threat Intelligence Analyst, Brad Duncan has revealed that chrome users are once again targeted by Fake Chrome Font Pack Update Attack. This time the attacker in a campaign is delivering Spora Ransomware.

Recently, researchers at Proofpoint disclosed that “Fake Chrome Font Pack Update” campaign is distributing ad fraud malware known as Fleercivet. Caching upon its success in delivering the malware to the victim, the threat actor has moved one step ahead to deliver ransomware payload direct to the victim.

How does this campaign work?

The attacker first hacks legitimate but vulnerable websites and add javascript code to the page. The code replaces the characters with “�” sign and makes the whole page unreadable. The victim is presented with a popup telling that a specific font wasn’t found on the device, and the user will require to download and install a font package update to view the website content.

Fake Chrome Font Pack Update Attack
Fig: Flowchart for this infection traffic.

Once a user lands on to the compromised website, the user is presented with a gibberish web page and a popup alert stating that Chrome needs a “HoeflerText” font in order to see the page properly.

Fake Chrome Font Pack Update Attack
Fig: Popup within Chrome when viewing the compromised website -1
Fake Chrome Font Pack Update Attack
Fig: Popup within Chrome when viewing the compromised website -2

Once the user clicks the Update button, Chrome downloads the Spora ransomware installer. But till now, the user is still safe. The downloaded file doesn’t run by self as in the case of many malware and ransomware. It requires human interaction.

When user falls into the trap and executes the downloaded file dubbed as “update.exe”, Spora will begin to encrypt a victim’s data and most data files will become encrypted and unusable.

Fake Chrome Font Pack Update Attack
Fig: Spora decryption instructions from the HTML file dropped to the Desktop.

After done with encrypting victim’s files, Spora displays a ransom note (as shown in a figure), where a victim can log in to the Spora payment site and make payments.

Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. Security Analyst recommends users if they apparently meet any such website to ‘force close’ the chrome application and delete browser data for safer browsing.