A recently observed malware distribution campaign has been specifically devised to target users of the Chrome browser on Windows-based computers, Proofpoint security researchers warn.
The campaign uses the infamous EITest infection chain, which has been previously associated with numerous exploit kit attacks leading to ransomware, information stealers, and other malware. First documented in 2014, EITest has seen numerous changes, and the switch to more targeted attacks instead of relying on exploit kits for infection is one of them.
The newly observed attack change was first noticed in December, when a compromised website was dropping the “Chrome_Font.exe” file onto visitors’ computers. The site, Proofpoint discovered, was EITest-compromised, and was dropping the file only after a series of filtering mechanisms were triggered.
The attack, security researchers found out, was targeting Chrome for Windows users specifically. As soon as the visitor was determined to use this browser, the code injected in the page would make text unreadable, and a fake alert was displayed, prompting the user to download and install a file supposedly containing new fonts.
“The infection is straightforward: if the victim meets the criteria – targeted country, correct User-Agent (Chrome on Windows) and proper referer – the script is inserted in the page and rewrites the compromised website on a potential victim’s browser to make the page unreadable, creating a fake issue for the user to resolve,” Proofpoint researcher Kafeine explains.
The website, however, would attempt to infect Internet Explorer users as well. As long as they met specific criteria, they were exposed to a more “classic” exploit kit attack, the researcher notes.
The attack on Chrome users relied on storing all the data between HTML tags in an array, then replacing them with “�”. Because this is not a proper ISO character, the browser would display the replacement character � instead.
A fake alert displayed in the browser would prompt users to install an updated font pack to view the content of the page. The victim was told that the specific font (“HoeflerText,” in Proofpoint’s example) wasn’t found, and that the user should install the update immediately. The fake alert can’t be closed using the “x” button and malware is executed when the user approves the so called update.
Proofpoint suggests that the campaign was launched on December 10, 2016 and says that the “Chrome_Font.exe” file that users are tricked to install is in fact the ad fraud malware known as Fleercivet.
The malware spreads in affiliate mode, with its affiliate initially seen on underground markets as “Simby,” until they disappeared in early 2015, only to reappear later that year as “Clicool.” Upon infection, the malware causes the computer to browse the Internet in the background, on its own.
The new campaign, Kafeine says, is important because the new patch added to the EITest compromise chain combines social engineering with the targeting of Chrome users (different paths have been added to the EITest before, such as the redirection to an Android “Police” Browser locker spotted in December 2014.).
“Because actors are finding it more difficult (and therefore less profitable) to achieve conversions (i.e., malware installations) via exploit kit, they are turning to new strategies. As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves, this time via selective injects into websites that create the appearance of problems along with the offer of fake solutions,” Proofpoint’s researcher concludes.