Chrome Attack is a RAT

Tuesday, September 5, 2017 @ 06:09 PM gHale

Chrome users on Windows systems are the target of a remote access Trojan (RAT), researchers said.

The attack is tied to the EITest compromise chain, and has been issuing the Fleercivet ad fraud malware and ransomware variants such as Spora and Mole. Initially targeting only Chrome, the campaign also targeted Firefox.

No Charge for RAT with Backdoor
Mobile RAT Malware on the Scene
Mac Malware-as-a-Service Products Found
Exploit Kit Details Discovered

The attack relies on pop-ups displayed in the Chrome browser on Windows devices, claiming users need to install a HoeflerText font pack. Code injected into compromised websites would make the visited pages look unreadable, which could make the fake popup seem real.

Fingerprinting capabilities included in the injected code trigger the attack if certain criteria are met (targeted country, correct User-Agent (Chrome on Windows) and proper referer). If the social engineering scheme is successful and the user accepts to install the fake font pack, a file named Font_Chrome.exe is downloaded and executed, and their system is infected with malware.

The malware distributed via these fake Chrome font update notifications is the NetSupport Manager remote access tool (RAT). This should indicate “a potential shift in the motives of this adversary,” said Brad Duncan of Palo Alto Networks in a blog post.

“Network traffic follows two distinct paths. Victims who use Microsoft Internet Explorer as their web browser will get a fake anti-virus alert with a phone number for a tech support scam. Victims using Google Chrome as their browser will get a fake HoeflerText popup […] that offers malware disguised as Font_Chrome.exe,” Duncan said.

The most recent versions of Font_Chrome.exe are represented by file downloaders designed to retrieve a follow-up malware that would install NetSupport Manager. This commercially-available RAT was previously associated with a campaign from hacked Steam accounts last year.

While analyzing the attack, Palo Alto’s researchers discovered two variants of the file downloader and two instances of follow-up malware to install the RAT. Although the RAT is already at version 12.5, the version Chrome users are targeted with is at version 11.0, the researchers discovered.

“Users should be aware of this ongoing threat,” Duncan said. “Be suspicious of popup messages in Google Chrome that state: The “HoeflerText” font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection.”

Leave a Reply

You must be logged in to post a comment.