A couple of weeks ago researchers reported about a malware campaign what was going after Chrome users on Windows OSs. The campaign was first noticed in December last year by Proofpoint security experts and it was known to rely on the notorious EITest chain, which, in turn, was used in several Exploit Kits leading to ransomware attacks, identity thefts, etc.
The researchers explained that the EITest cyber gang was hacking legitimate websites and then adding a JavaScript code. This code causes the page to display a pop-up alert that asks users to download a Chrome Font Pack. Also, the alert blocks the content of the entire page as the users are not able to use the “X” button to close it. This way more users are likely to download the pack.
However, while the first version of the campaign was only targeting Chrome users with malware, now there is a newer one which is dropping ransomware on the victims` machines that encrypts their data. The crooks behind the campaign have decided to upgrade it. According to Brad Duncan of Palo Alto Networks, the campaign`s developers have replaced the final payload, which is now the Spora ransomware. The overall mechanism is still the same only with the difference that the infection now locks victims` files and demands a ransom.
In the first version, the users were asked to install a file named Chrome_Font.exe which would then download the Fleercivet Trojan. Now, on the other hand, the executable is called Update.exe and, if launched, it installs the Spora ransomware and the encryption process begins automatically.
Luckily, there is some good news. In order for the infection to work, the users have to not only download the file but also to manually execute it. Even though the campaign uses the official Google fonts and style, which may mislead the users, there is still a chance for them not to install the executable.
The bad news is that, at least for now, there is no way of decrypting files locked by Spora for free. However, security researchers are actively keeping up to date with this infection trying to warn as many users as possible. If people are aware, they will stay away from the Chrome Font Pack.
