Researchers spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware.
Many similarities with the EITest malware campaign have been discovered.
“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware. Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”
Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.
However, when the same links were tried in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.
In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.
The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages. Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.
Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup, rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.
“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” post concluded.