For a while now, malware distributors have been using a social engineering attack against Chrome users that entails a website showing an alert stating that a font needed to view the web page was not found. This attack then prompts the Chrome user to download a Chome Font Pack in order to properly view the site.  

Today, ProofPoint exploit expert Kafeine discovered that attackers have modified this attack to target Firefox users as well.  Now when a visitor goes to a page that has this attack, the script will determine the browser and display the appropriate attack for either Chrome or Firefox. This attack campaign is currently pushing the Zeus Panda banking Trojan.

Examining the Firefox HoeflerText Attack

The attack entails tricking a target into going to a specific URL that is hosting javascript code that starts the attack. It is not currently known if the user is going to this URL through malspam, malvertising, or exploit kits. Once a Firefox user visits the site, they will be shown an alert stating that "The "HoeflerText" font was not found." and that they need to update the "Mozilla Font Pack"

HoeflerText Font Not Found Alert
Caption

Once a user clicks on the Update button, a download for a ZIP file called Mozilla_Font_v7.87.zip will be initiated. The downloaded zip file contains a JScript file called Mozilla_Font_v7.87.js.

Mozilla_Font_v7.87.zip

When the download is initiated, the alert on the web site will change to instructions on how a victim should install the "Mozilla Font Pack".

Instructions on how to Install the HoeflerText Font

These instructions inform the victim to double-click on the JS file in order to begin the update process. The contents of this script can be seen below.

Mozilla_Font_v7.87.js File

When the script is launched it will download a file called Mozilla_Font_v7.87.exe, which currently has 30/62 detections at VirusTotal, and saves it to the C:\ folder. Once saved, the script will execute the downloaded file. When the download is executed it will inject the Zeus Panda banking Trojan into two svchost.exe processes as shown below.

Injected Processes
Injected Processes

A autostart will also be configured so that Zeus Panda launches when the user logs into Windows.

As you can see, social engineering attacks are becoming more sophisticated and expanding to increase the range of available targets. It is therefore important to only install updates for a browser that are downloaded directly from the developer.


Mozilla Firefox HoeflerText Attack Alert:

The "HoeflerText" font was not found.

The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the next, you have to update the "Mozilla Font Pack".

Manufacturer: Mozilla Corporation.
Current version: Mozilla Font Pack 53.0.2785.89
Latest version: Mozilla Font Pack 57.2.5284.21

Mozilla Firefox HoeflerText Attack Instructions:

The "HoeflerText" font was not found.
To install "HoeflerText" font for your PC:

    Download the .js file.
    If prompted, click Run or Save.
    If you chose Save, double-click the .js file to start the installation process. We will automatically import your home page settings and browser history for you.
    Reboot Mozilla:
        Windows 7: A Mozilla window opens once everything is set up.
        Windows 8 and 8.1: A welcome dialogue appears, click Next to select your default browser.
        Windows 10: A Mozilla window opens once everything is set up. You can then make Mozilla your default browser.