A malware campaign utilizing bogus popups that alert users to a missing web-font is targeting Google Chrome and Firefox browser users. The popups contain a malicious JavaScript file that initiates the download of either the NetSupport Manager remote access tool (RAT) or Locky ransomware.
The campaigns were spotted by Brad Duncan with both the
SANS Internet Storm Center and
Palo Alto Networks’ Unit 42. He said the attacks relate to similar malware campaigns, dubbed EITest, that date back to December 2016.
In all cases victims are lured to a booby-trapped website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because the browser is missing the correct “HoeflerText” font (see below).
