Even though Bitdefender released a GandCrab decryptor today, it is not stopping the GandCrab affiliates from continuing to use new methods to distribute their ransomware. Today malware traffic analysis nao_sec discovered that EITest was being used to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam.

This social engineering scam scrambles the text of a hacked site when a visitor reaches it through a search engine. The JavaScript then issues an alert stating that the scrambled text was due to a browser font not being found and that a user should download and install a browser Font Pack to fix the problem.

HoeflerText Scam
HoeflerText Scam

If a user clicks on the Update button, it will download a file called Font_Update.exe, which when executed will install the GandCrab Ransomware. A video on the malware analysis sandbox site Any.Run illustrates what happens when a user installs this Font_Update.exe executable.

EITest also pushing the Netsupport Manager Remote Access Utility

When I tested the site provided by nao_sec, instead of GandCrab being pushed on me, I had the Netsupport Manager remote access utility installed on my computer.  Nao_sec feels that depending on the location of the visitor, different payloads may be distributed.

For me, when the Font_Update.exe is executed it will extract and run a obfuscated g.js file.

G.js File
Obfuscated JavaScript File

This g.js script will connect to a remote site and begin to download a variety of files onto the infected computer.

Fiddler Traffic
Fiddler Traffic

The package of files being downloaded are for the Netsupport Manager remote access utility and will be downloaded into the tokipp folder under %AppData%. It is important to note that Netsupport Manager is a legitimate remote access utility being utilized maliciously by the attackers.

Tokipp Folder

Once all of the files are downloaded, the client32.exe program will be executed and the attackers will be able to gain access to the infected computer.

With all of this said, if you see a popup on a page stating that you need to download a Firefox or Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided.

Related Articles:

Malspam Campaigns Using IQY Attachments to Bypass AV Filters and Install RATs