A Threat Intelligence Analyst, Brad Duncan has revealed that chrome users are once again targeted by Fake Chrome Font Pack Update Attack. This time the attacker in a campaign is delivering Spora Ransomware.
Recently, researchers at Proofpoint disclosed that “Fake Chrome Font Pack Update” campaign is distributing ad fraud malware known as Fleercivet. Caching upon its success in delivering the malware to the victim, the threat actor has moved one step ahead to deliver ransomware payload direct to the victim.
How does this campaign work?
Once a user lands on to the compromised website, the user is presented with a gibberish web page and a popup alert stating that Chrome needs a “HoeflerText” font in order to see the page properly.
Once the user clicks the Update button, Chrome downloads the Spora ransomware installer. But till now, the user is still safe. The downloaded file doesn’t run by self as in the case of many malware and ransomware. It requires human interaction.
When user falls into the trap and executes the downloaded file dubbed as “update.exe”, Spora will begin to encrypt a victim’s data and most data files will become encrypted and unusable.
After done with encrypting victim’s files, Spora displays a ransom note (as shown in a figure), where a victim can log in to the Spora payment site and make payments.
Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. Security Analyst recommends users if they apparently meet any such website to ‘force close’ the chrome application and delete browser data for safer browsing.