Even though Bitdefender released a GandCrab decryptor today, it is not stopping the GandCrab affiliates from continuing to use new methods to distribute their ransomware. Today malware traffic analysis nao_sec discovered that EITest was being used to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam.
If a user clicks on the Update button, it will download a file called Font_Update.exe, which when executed will install the GandCrab Ransomware. A video on the malware analysis sandbox site Any.Run illustrates what happens when a user installs this Font_Update.exe executable.
When I tested the site provided by nao_sec, instead of GandCrab being pushed on me, I had the Netsupport Manager remote access utility installed on my computer. Nao_sec feels that depending on the location of the visitor, different payloads may be distributed.
For me, when the Font_Update.exe is executed it will extract and run a obfuscated g.js file.
This g.js script will connect to a remote site and begin to download a variety of files onto the infected computer.
The package of files being downloaded are for the Netsupport Manager remote access utility and will be downloaded into the tokipp folder under %AppData%. It is important to note that Netsupport Manager is a legitimate remote access utility being utilized maliciously by the attackers.
Once all of the files are downloaded, the client32.exe program will be executed and the attackers will be able to gain access to the infected computer.
With all of this said, if you see a popup on a page stating that you need to download a Firefox or Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided.