Every day we see different website infections. When we receive unusual or interesting cases, our researcher instincts are triggered to investigate the unusual website behavior in order to understand how new infections work. In this case, the odd behavior was the website’s pop-up window claiming there was a missing font.
The Unwanted Popup Window
A website owner reached out to us to investigate the error displaying on their site. The popup window informed the visitors that they were unable to view the content of the site because their computers were missing a font called “HoeflerText”:
The malware tries to trick visitors into clicking the “Update” button to download a malicious file called: Font_Update.exe
In this case, the malicious code is not in a plugin, but in a core file.
Malicious Code in a WordPress Core File
The snippet above shows the injected code in the WordPress core file ./index.php. The code is checking for the browser type and version. In this specific case, the target was Chrome browsers only.
The Misleading Missing Font Warning
The other regex and code are responsible for displaying the page incorrectly to the client.
The page looks damaged or corrupted in an attempt to convince the user that it’s all due to the missing font.
By adding a missing font warning, the hacker makes their malicious pop-up window look inconspicuous to visitors.
The other part of the malicious code shows the pop-up window and the alert to the visitors about this missing “HoeflerText” font on their computers:
Where is the Malware?
The hackers were storing the hxxps://Another-Hacked-site[.]dom/avx/images/x86x.php file on another hacked website.
Once the visitor clicks on the Update button to download the fix for the missing font, a Dropbox URL appears and downloads the malicious Font_Update.exe file to the victim’s computer.
In this article, we showed one of the ways that bad actors can disguise their injected malicious code.
This incident shows how important website security is to both website owners and visitors.
It’s a huge responsibility for website owners to provide a malware-free website experience to their visitors, members, and customers. We offer a cloud-based website security platform that was created to give website owners peace of mind and users a secure browsing.