Experts spotted a malware campaign using HoeflerText Popups to push RAT Malware

Pierluigi Paganini September 02, 2017

Experts spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware

Security expert Brad Duncan with both the SANS Internet Storm Center and Palo Alto Networks’ Unit 42, has spotted a malware campaign leveraging bogus popups that alert users to a missing web-font.

The crooks are targeting Google Chrome and Firefox browser users, the researcher discovered the popups contain a malicious JavaScript file that delivers either the NetSupport Manager remote access tool (RAT) or Locky ransomware.

Duncan reported many similarities with the EITest malware campaign.

“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware.  Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”

Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.

HoeflerText malware campaign

“However, when I tried these same links in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.” Duncan wrote.

“These notifications also had an ‘update’ button. When I clicked it, I received a JavaScript file named Win.JSFontlib09.js. That JavaScript file is designed to download and install Locky ransomware,”

In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.

Duncan observed malicious spam messages including links to fake Dropbox pages that when visited showed bogus notification about the need of installing the HoeflerText font.

“If you viewed the pages in Chrome or Firefox, they showed a fake notification stating you don’t have the HoeflerText font.  These fake notifications had an “update” button that returned a malicious JavaScript (.js) file.” said Duncan.

The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages.  Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.

“In recent days, I’ve noticed multiple waves of malspam every weekday.  It gets a bit boring after a while, but as 2017-08-31 came to a close, I noticed a different technique from this malspam,” Duncan added.

Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup,  rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” Duncan concluded.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – HoeflerTextRAT malware)

[adrotate banner=”12″]



you might also like

leave a comment