Since late August, a social engineering, or SocEng, attack called Roboto Condensed is being added to hacked sites and distributing keyloggers, miners, and downloaders. This attack will display an alert to visitors that state that they need to install a Roboto Condensed Font Pack for their browser in order to properly view the site.
If a victim falls for this attack and installs the "update", depending on which malware is currently being distributed, the victim will be infected with the Ursnif keylogger, Miners, or Trojan downloaders. As of Sunday, this attack has also started adding crapware & adware bundles to the mix to further make their victims miserable.
Let's face it, all malware sucks and no one wants keyloggers, miners, or downloaders on their machines. Yet, there is something about adware that just makes me crazy, Maybe it's because these people act like all the software they distribute is legitimate, aren't afraid of legal repercussions, and are so brazen about it. Regardless of what it is, Adware has become so profitable to distribute that even hackers and malware distributors are starting to switch to it.
This is shown in the very detailed article by Malware Breakdown, where the security researcher explains how he discovered that the Roboto Condensed SocEng started adding adware bundles to their attack. In this case the bundle being distributed appears to be one from the InstallCapital pay-per-install software monetization company as shown by the user agent in the network traffic below.
When these bundles are executed, they will connect to remote sites, as seen above, and download an encrypted configuration file that contains the urls, command line arguments, and EULAs for the various software that will be downloaded and installed on that particular run. These configurations typically change based on a variety of characteristics including the types of browsers installed, version of Windows, and the geographic location of the computer.
When I tested the bundle included in this attack, a whole variety of unwanted programs & adware were being pushed as seen below. This included adware, clickers, and PUPs such as System Healer, Runbooster, Videsquare, DNS Locker, & Interstat, which are all programs that are commonly pushed by adware bundles. While many of the "offers" were the same with Malware Breakdown's test, there were some that were different between both of our installs.
While the image above makes it appear that a user has the ability to opt out of various "offers", don't let those fancy options fool you. Once the program is executed, those listed programs and more will be automatically installed on the computer without you having to lift a finger.
Before you know it, the computer will be displaying popups, start connecting to remote sites as the clickers kick in, modify your DNS and Internet settings, start mining for various coins, hijack your browser, display fake security alerts, and overruns your PC as shown in my resulting desktop below.
But that's not all. Some of the crapware that is installed also typically downloads and installs other unwanted programs so that eventually your computer becomes useless.
Unfortunately, adware bundles are only one of the types of malware that are being distributed by the Roboto Condensed attack. This is because the attackers will periodically change what malware is being distributed by the fake font update so that sometimes you may get a miner, keylogger, or other downloading Trojan instead.
So for someone who mistakenly installs the fake update, it is really Russian Roulette when it comes to the type of malware that will be installed.
It goes without saying that if you encounter any web site stating that you need to install an update for your browser, it should be avoided and the file should not be installed. Almost all modern browsers contain built-in mechanisms to check for new updates and prompt you to install them. They will never, though, be in the form of a dialog box or alert being shown from a web site.