Google has been the victim of criminal internet attacks in recent times, and it seems that this is not about to end anytime soon.
Internet security researchers from Proofpoint have detected a new malware campaign that is directed towards Google Chrome users on Windows PCs.
The researchers first got wind of the malware campaign in December 2016. This malware campaign employs the notorious EITest chain often present in numerous exploit kits used to carry out different kinds of internet attacks, including ransomware attacks and identity theft.
The malware is spread through certain insecure websites that trick Google Chrome users into downloading a malicious font update package, which contains the malware that subsequently attacks the browser.
The researchers have pointed out that the malware only affects Google Chrome browsers on Windows operating systems from particular countries, and that the infection is only possible through user navigation to the compromised websites.
Compromised systems must have met three criteria; the websites visited are based in the targeted country, the sites were opened on Google Chrome browser, and the hyperlinks were opened using a specific route (referral link).
The malware injects its code into the page when it detects a Chrome browser and subsequently, the user cannot read the page’s content.
It then displays the font update alert that tricks Chrome user’s into clicking the tab. The malware indicates to the user that the particular font is unavailable and they should instead opt for the provided update.
Once this happens, a false font file is automatically downloaded and installed into the browser.
This infection has been able to spread by tricking so many users due to its legitimate veneer: the message displayed by the malware dons Google Chrome’s logo and button styles as displayed in the actual Google Chrome web browser, managing to fool even seasoned computer users. The malware termed “Chrome_Font.exe” changes HTML tags and ruins web pages.
This type of malware is responsible for internet fraud and has been referred to as Fleercivet by Microsoft.
The malware in this case campaign injects the attacker’s scripts into the source code of the compromised sites.
This additional script changes HTML tags to “& # 0” after storing the data between the tags in an array, which destroys the website’s content since the above character is not a proper ISO character.
The resulting character displayed all over the compromised web page is often present when a font and character rendering issue is present in websites and software, and is thus how the malware manages to trick Google Chrome users into thinking that they need to download and install the aforementioned font package update.
Once a computer has been infected, Google Chrome begins to browse automatically in the background.
The researchers have stated that the malware causes the browser to navigate to predetermined URLs where it clicks on hidden ads without the knowledge of the user.
This is the primary method through which the cybercriminals behind this scheme earn money. It is important to note that this type of malware was sold on underground cybercrime forums in 2015 and 2016.
The internet criminals responsible for EITest chain attacks usually use known vulnerabilities to compromise a large number of websites.
The classic strategy works through the redirection of a small number of compromised users from these websites to the payload containing the malware.
The researchers have noted that this new malware campaign is unique in that instead of being used in EITest chain exploit kits, it is more targeted in its approach.
In addition, since this method relies on Google Chrome users to click and subsequently infect themselves, there is no conclusive guarantee of profit from the exploit kit.
As more people are becoming aware of the importance of implementing cyber security, internet criminals are finding it harder to execute malware attacks successfully.
This recent campaign targeted at Google Chrome indicates that cyber criminals are resorting to sophisticated methods to ensure malware installation.
The internet security researchers at Proofpoint have stated that this malware campaign, like many others before it, is made possible through the human vulnerability factor.
While certain measures have been taken to prevent and mitigate these attacks, Google Chrome users have been advised to be vigilant of this and similar kinds of cyber-attacks.