HoeflerText Popups Targeting Google Chrome Users

Researchers spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware.

Security researchers with both the SANS Internet Storm Center and Palo Alto Networks’ Unit 42, has spotted a malware campaign leveraging bogus popups that alert users to a missing web-font.

The attackers are targeting Google Chrome and Firefox browser users, the researcher discovered the popups contain a malicious JavaScript file that delivers either the NetSupport Manager remote access tool (RAT) or Locky ransomware.

Many similarities with the EITest malware campaign have been discovered.

“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware.  Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”

Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.


However, when the same links were tried in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.

These notifications also had an ‘update’ button. When they were clicked , a JavaScript file named Win.JSFontlib09.js was recieved. That JavaScript file is designed to download and install Locky ransomware.

In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.

The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages.  Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.

Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup,  rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” post concluded.


Chrome Extension CopyFish Hijacked

The chrome extension copyfish , which allows users to extract text from images, PDF documents and video, and has more than 37,500 users , has been compromised by phishers after compromising the Chrome Web Store account of German developer team a9t9 software and abused to distribute spam messages to unsuspecting users.

The extension after compromisation ,  was equipped  with advertisement injection capabilities. However, its Firefox counterpart was not affected by the attack.

The attackers even moved the extension to their developer account, preventing its developers from removing the infected extension from the store, even after being spotted that the extension has been compromised.

How was it hijacked??

According to a9t9 software, one of its team members received a phishing email impersonating the Chrome Web Store team that said them to update their Copyfish Chrome extension; otherwise, Google would remove it from the web store.

The phishing email instructed the member to click on “Click here to read more details,” which opened the “Google” password dialogue box.

The provided link was a bit.ly link, but since the team member was viewing the link in HTML form, he did not find it immediately suspicious and entered the password for their developer account.

Once the developer entered the credentials for a9t9 software’s developer account, the hackers behind the attack updated the Copyfish extension on 29 July to Version 2.8.5, which is pushing out spams and advertisements to its users.

The worst part comes in when the Copyfish makers noticed the issue very quickly, but they could not do anything because the hackers moved the extension to their developer account.

The a9t9 software is warning users that the Chrome extension for Copyfish is currently not under its control. So, users are advised not to install the malicious Chrome extension and remove, if they have already installed.

Critical RCE Vulnerability Discovered in Cisco WebEx Browser Extension

A highly critical remote code execution vulnerability, tracked as CVE-2017-6753, was discovered in the Cisco Systems WebEx browser extension for Chrome and Firefox which  has ~20M active users, and is part of Cisco’s popular web conferencing software.

This is the second time this year a critical vulnerability has been discovered in this product which even led to Google and Mozilla temporarily removing the add-on from their stores the first time.

“The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.” stated by the security advisory published by CISCO.

The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

The vulnerability was discovered by the popular Google Project Zero hacked Tavis Ormandy and Cris Neckar of Divergent Security.

Cisco acknowledged the RCE flaw and has already patched it in the “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers.

There are no workarounds that address this vulnerability. However, Mac users may use Safari to join WebEx meetings because Safari is not affected by this vulnerability. Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability.