Don’t Fall for This Malware Campaign That Targets Google Chrome Users


Researchers have discovered a new malware campaign that is specifically targeting Google Chrome users on Windows computers. First noticed in December, the campaign uses the infamous EITest chain that has been used in multiple exploit kits leading to identity theft, ransomware and other kinds of attacks. This time, however, it is being used in more targeted attacks rather than being used in exploit kits.

Chrome attack replaces HTML tags & destroys web pages

Security researchers at Proofpoint have detailed a new malware campaign targeting the Chrome browser. As soon as it discovers a visitor's browser, the code is injected in the page that displays an alert, making the page content unreadable. Since the "X" doesn't close this alert, users are more likely to click on the "Update" button. This enables the malware to download and install a file that is purported to be a font file.

AMD presents Ryzen 5000 C-Series series for Chromebooks with up to eight Zen3 cores and 15W TDP levels

The "Chrome_Font.exe" is a type of ad fraud malware known as Fleercivet (name given by Microsoft), the security team said. The target victim is told the specific font (“HoeflerText" in this example) wasn’t found, and the user needs to install the update immediately. Since the pop-up is marked with Google Chrome's logo along with its button styles, it lends more legitimacy to the scam.

Here's how the attack works:

The infection is straightforward: if the victim meets the criteria - targeted country, correct User-Agent (Chrome on Windows) and proper referer - the script is inserted in the page and rewrites the compromised website on a potential victim's browser to make the page unreadable, creating a fake issue for the user to resolve. Note that IE users who meet other criteria will experience a more classical EK attack...

The pages are rendered unreadable by storing all the data between HTML tags in an array and iterating over them to replace them with “&#0”, which is not a proper ISO character; as a result, the replacement character � [9] will be displayed instead.

Once infected, the computer will start browsing in the background on its own. The EITest infection chain used in this latest Chrome malware campaign has been previously used to compromise a large number of websites, using known vulnerabilities in WordPress or Joomla. The group redirected users from infected sites to a malicious payload that was used in exploit kits. The latest attack strategy is, however, different since it first filters out its targets and then launches the attack.

The recent "font" attack on Chrome users actually has to rely on users clicking on the download/update button, which means there's no guarantee that the exploit kit will make the perpetrator money.

“Because actors are finding it more difficult (and therefore less profitable) to achieve conversions (i.e., malware installations) via exploit kit, they are turning to new strategies," researchers said. "As with other threats, actors are exploiting the human factor and are tricking users into loading the malware themselves, this time via selective injects into websites that create the appearance of problems along with the offer of fake solutions."