This "Chrome Font Packs" Malware is Affecting Computers

Chrome users may want to stay extra vigilant when browsing the web today as cyber security firm NeoSmart Technologies have discovered a crafty new way that hackers are using to get users to unknowingly install malware onto their computers.

First discovered by Mahmoud Al-Qudsi, the attempt relies on using JavaScript to replace normal text with misencoded symbols and gibberish. This “hack” would then prompt the user to update the “Chrome language pack”.

Clicking on the “Update” button would cause the website to download a file called “Chrome Font v7.5.1.exe” which is a malware in disguise. What happens next is pretty straightforward: the user opens the “.exe” file and installs it on their machine, and the machine is now compromised, giving hackers access to it.

hoefler text not found

While the entire attack is rather convincing, there are a few glaring flaws that this attack has. The first major flaw is that the dialog box for the attack is hard coded to display version 53 of Chrome, so those who are well aware of the version of Chrome they’re running would immediately sense that something is off.

update text

On top of that, downloading the “Chrome Font Pack” would cause the Chrome browser to flag the download as “not being downloaded very often”, although Chrome doesn’t actively flag the file as being malicious.

Finally, the entire process of download and executing the file is misrepresented between the accompanying pop-up dialog and the actual process, such as discrepancies in the file’s name, as well as a non-existent UAC prompt.

non existent uac prompt

Interestingly enough, this particular malware has managed to evade both Windows Defender and Chrome scans. Furthermore, VirusTotal reveals that the malware itself could potentially be a new creation, considering the fact that only 9 out of 57 antivirus scanners could identify the malware thanks to heuristics.

In the meantime, the best way to prevent your device from being compromised is to avoid running executables from sources that appear shady.

virus total
FacebookTwitterInstagramPinterestLinkedInGoogle+YoutubeRedditDribbbleBehanceGithubCodePenEmail