chrome hack Hack Alert: Chrome Users Urged to Download Missing Font, Install Malware Instead

[WALLONN7]

The hack popped up on a compromised WordPress site

 

 

Chrome users should beware of a new hacking technique which prompts users to download a missing font only to trick them into installing malware on their systems. 

 

According to cybersecurity firm NeoSmart Technologies, the trap was first noticed while browsing a WordPress website that had allegedly already been compromised. Given the latest issues with WordPress due to users failing to update to the latest security patch, this isn't exactly a surprise.

This particular attack was pretty well disguised. JavaScript was used to tamper with the text rendering on the site, causing it to look all jumbled. The script then prompted users to fix the problem by installing that one font they were missing to read the blog by updating the Chrome font pack. This makes for a rather credible ploy, especially since the dialog window that pops up urging users to update actually looks like it comes from Chrome. It even has the logo on the side and the right shade of blue on the "update" button.

There are some clues that things aren't right, of course. On one hand, the dialog window insists that you're using Chrome version 53 even if you aren't. Then, clicking the "Update" button will proceed to download an executable file titled "Chrome Font v7.5.1.exe" which isn't the same as the one the instruction image said it would download - "Chrome_Font.exe".

 

The download window

 

It's not flagged as malware

Chrome doesn't flag the file as malware, but it does block it because the file isn't downloaded too often, which is a common warning. The browser advises users to discard the file. Following a VirusTotal scan, only 9 out of 59 anti-virus scanners in the database accurately identify the file as malware, although VirusTotal has some issues with accurately presenting a list of antivirus programs that actually detect various malicious files, so the number may be higher than that.

There's also the fact that you don't need to update any Chrome font pack at any time because it already comes with everything you need.

 

Source

[steven36]

I seen thing something  happen in Firefox  before but instead of a font it said it was a download for flash and i dont even install Flash for along time lol  Did you know on Android they not had flash for 5 years and still crazy people fall for it and download malware thinking  it's flash?   

Users Continue to Install Malware on Their Phone 5 Years After Adobe Discontinued Flash for Android

https://www.bleepingcomputer.com/news/security/users-continue-to-install-malware-on-their-phone-5-years-after-adobe-discontinued-flash-for-android/

Come on people it's conman sense to not download stuff you don't know what is !!! This is why Google changed the default setting to ask before you download now , before it was easy too get malware in chrome if you didn't know to change the setting .It was a stupid mistake by Google but in new versions its a stupid mistake by the end user..

 

 

[Recruit]

If you`ll restrict execution of .exe files in " %AppData% " & " %LocalAppData% " ( and subfolders ) these shi*s will stay away from your machine..

 

With this method you could forget words like " antivirus " & " anti-malware ".....etc.

 

[steven36]

I dont execute no exe files i dont know what is anyway  you know how many sites are ridden with  ads that try get you too install malware by mistake ? When it happen in Firefox too me it was much worse than this when i looked at the screens it gives you a warning  it asks you too download when it happen in Firefox it just tried too download it  and didn't ask NOD blocked it anyways lol .This malware in Chrome you have to say yes too the download 2 times lol.

[steven36]

I found this out at Virus total. too beat it all its not just a Google chrome malware it dont discriminate . the same malware effects Firefox too  if you named the installer to something else

 

Proof of it being exploited in Firefox here

https://sandbox.deepviz.com/report/hash/6fc30d8a8d354f2a8128874cf84d0353/

Quote

• 1 high impact rules
• Access Mozilla Firefox file that stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history

11 medium impact rules

• Creates file in Startup folder
• Hides created files or folders in root directory
• Access Mozilla Firefox popup site exceptions
• Strings dump contains file extensions
• Contains cryptographic functionality
• Access Mozilla Firefox extensions list
• Access Mozilla Firefox downloads history
• Access Mozilla Firefox cookies
• Access Mozilla Firefox form history
• Access Mozilla Firefox add-ons list

12 low impact rules

• Suspicious delay
• Modify "OpenWith" application list for a set of specified file extensions
• PE section has SizeOfRawData larger than VirtualSize
• Runs existing executable
• PE Checksum is invalid
• Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion ...)
• Check user main folders path
• Automatically unpack its own code
• Contains anti-debugging code
• Drops .EXE file
• EntryPoint points inside a writable section
• Access Windows sensitive data: Windows Profiles information

 

 

 

But by the time this got posted here, it was found over 2 days ago and any good antivirus will stop it.

https://www.virustotal.com/en/file/7e62a5ca20cfb5da90fe7402f413321c9ede7e230e8b4fa2f1a4e516e8ae8e34/analysis/

And that's why i dont use safe browsing since 2011 by the the time they catch it everything else have too lol . If you was using malwarebytes it caught it when source 1st found it even.