{"id":7458,"date":"2017-04-26T12:10:02","date_gmt":"2017-04-26T20:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1249\/"},"modified":"2017-04-26T12:10:02","modified_gmt":"2017-04-26T20:10:02","slug":"news-1249","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1249\/","title":{"rendered":"A story of fonts by the EITest HoeflerText campaign"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Apr 2017 19:45:58 +0000<\/strong><\/p>\n

One of the most common malware campaigns from compromised websites is known as EITest<\/a> and has traditionally been redirecting victims towards exploit kits<\/a>. But it also has an alternate payload for browsers other than Internet Explorer, specifically for Google\u00a0Chrome, where it tricks users into downloading a fake font file.<\/p>\n

The technique first exposed\u00a0by Proofpoint<\/a>,\u00a0is simple and yet so clever because it truly creates an illusion that there is a problem with the site being viewed. In addition, the prompt to download\u00a0the ‘Chrome Font Pack’ looks sleek and professional:<\/p>\n

\"\"<\/a><\/p>\n

The downloaded file is not a font of course, but malware. The perpetrators have used the standard\u00a0name “Chrome font.exe” and a few other variations, but they have been playing with character encoding as well. This alters the file name enough (perhaps to break simple signature detection?) but still looks almost identical to the naked eye.<\/p>\n

\"\"<\/a><\/p>\n

This is how the file looks, side by side with the classic UTF encoding:<\/p>\n

\"\"<\/p>\n

When Windows doesn’t recognize the character set, it will display\u00a0‘?’ instead. Here’s a quick view of this\u00a0encoding (courtesy of Unicode Analyzer<\/a>).<\/p>\n

\"\"<\/p>\n

Users that proceed and install the so-called font are immediately infected with the Spora ransomware:<\/p>\n

\"\"<\/a><\/p>\n

Malwarebytes <\/a>already protects you against Spora thanks to its behaviour-based ransomware detection engine.<\/p>\n

The post A story of fonts by the EITest HoeflerText campaign<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 26 Apr 2017 19:45:58 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
The HoeflerText campaign is known for a fake font download that delivers the Spora ransomware. But did you know it also uses special characters in the dropper’s file name?<\/p>\n

Categories: <\/p>\n