Fake Chrome Font Update Infects Users With Spora Ransomware

These days, the malware campaigns target System users with fake update notifications. It is now distributing the ransomware infection instead of ad fraud malware. First of all, the malicious campaign launched on December 10, 2016, that was initially observed dropping the Fleercivet ad fraud malware. The malicious campaigns tied to EITest compromise chain which is mainly associated with an exploit kit activity.

The campaign was targeting the Chrome for Windows users with clever social engineering tactics such as inject malicious codes into the compromised site would fingerprint visitors. If certain criteria were met, it makes the text on a page to look unreadable and display fake alerts to inform users that they need to install a font pack update to view content.

Know how Fake Chrome Font Update Attack works

To protect yourself from the attack of EITest Chrome Font Update, it is very necessary to know how the attack works. The EITest actors, first of all, hack the legitimate sites and then add the JavaScript code to the end of the page. This code will cause to look page like gibberish and then display a popup alert by saying that Chrome needs a ‘Chrome Font Pack’.

When System user goes to this page, the JavaScript will scramble the text of the page to make it unreadable and then display a pop-up alert that state that the page is not displaying properly because ‘HoeflerText’ font is missing. Then after, it prompts you to click on the Update button to download “ Chrome Font Pack”.

When the user clicks on the Update button, it will automatically download Update.exe file and save it to default download folder. Then cyber hackers show you a helpful screen that tells you to find and execute the program.

In the previous Chrome pack campaigns, Update.exe was called Chrome_Font.exe and install the Ad Clicking Trojan called Fleercivet. This text file is actually an installer for Spora Ransomware. Once the executable file is launched, the Spora ransomware will begin encryption process and makes data unusable. On the completion of encryption procedure, it will display a ransom note and ask the user to make payments.

At this time, unfortunately, there is no any way to decrypt the files that encrypted by Spora Ransomware for free. If you constantly see a pop up on a page stating that you need to download a Chrome Font Pack then you should immediately close the browser and not visit the site again. Such type of an alert is just an indication that something is wrong with your site and it should be avoided.

Leave a Comment

Your email address will not be published. Required fields are marked *