Yesterday, Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, wrote a blog article discussing how the EITest Chrome Font Update campaign is now distributing the Spora Ransomware.  

Previously, ProofPoint researcher Kafeine discovered this attack chain distributing the Fleercivet Ad Clicking Trojan, but with the popularity and successful revenue generation of ransomware, it is not surprising to see malware distributors testing this type of infection as well. As Spora diverges from most ransomware with the offering of a menu of different payment options, this could allow for a greater volume of payments compared to ransomware that only use a single large ransom option.

As I am concerned that many people will be tricked by this attack and become infected with Spora, I wanted to provide a description as to how this attack works so people can recognize and avoid it.

How the Chrome Font Pack Update Attack Works

In order to protect yourself from the current EITest Chrome Font Update attack, it is necessary to understand how the attack works.  In order to implement this attack chain, the EITest actors first hack legitimate web sites and add javascript code to the end of the page. This code will cause the page to look like gibberish and then display a popup alert stating that Chrome needs a "Chrome Font Pack" in order to see the page properly again.

An example of how this code looks in the source can be seen below.

Injected Javascript
Injected Javascript
Source: malware-traffic-analysis.net

When a visitor goes to this page, the script will scramble the text of the page so its not readable and then display a pop-up alert that states the page is not displaying properly because the "HoeflerText" font is missing. It then prompts you to click on the Update button in order to download the "Chrome Font Pack" as seen below.

Fake Google Font Pack Prompt
Fake Google Font Pack Prompt
Source: malware-traffic-analysis.net

When a user clicks on the Update button, the popup will automatically download a file called Update.exe and save it to the default download folder. The criminals will then show you a "helpful" screen that tells you how you can find and execute the program.

Instructions on how to Execute the Update.Exe Program
Instructions on how to Execute the Update.Exe Program
Source: malware-traffic-analysis.net

The good news is this downloaded program  is not automatically started and a victim must manually execute the program to become infected. The EITest gang are hoping that by pretending it is a Google Font for Chrome, they can trick people into actually running the file. Once a victim actually double-clicks and executes the file, the crap hits the fan and the computer becomes infected.

In the previous Chrome Pack campaign, the Update.exe was called Chrome_Font.exe and would install the Ad Clicking Trojan called Fleercivet. In this round, EITest has changed the filename to Update.exe, which is actually the installer for the Spora Ransomware. Once this executable is launched, Spora will begin to encrypt a victim's data and most data files will become encrypted and unusable.

When finished encrypting a victim's files, Spora will display a ransom note similar to this one, where a victim can login to the Spora payment site and determine the ransom amount or make payments.

Spora Ransom Note
Spora Ransom Note

Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. For those who need help with this infection or just want to discuss it, you can use the dedicated Spora Ransomware Support and Help Topic.

What everyone should take away from this is that if you see a popup on a page stating that you need to download a Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided.


Sample of Update.exe:

https://www.virustotal.com/en/file/d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3/analysis/