A recently observed malware distribution campaign has been specifically devised to target users of the Chrome browser on Windows-based computers, Proofpoint security researchers warn.
The campaign uses the infamous EITest infection chain, which has been previously associated with numerous exploit kit attacks leading to ransomware, information stealers, and other malware. First documented in 2014, EITest has seen numerous changes, and the switch to more targeted attacks instead of relying on exploit kits for infection is one of them.
The newly observed attack change was first noticed in December, when a compromised website was dropping the “Chrome_Font.exe” file onto visitors’ computers. The site, Proofpoint discovered, was EITest-compromised, and was dropping the file only after a series of filtering mechanisms were triggered.
The attack, security researchers found out, was targeting Chrome for Windows users specifically. As soon as the visitor was determined to use this browser, the code injected in the page would make text unreadable, and a fake alert was displayed, prompting the user to download and install a file supposedly containing new fonts.
“The infection is straightforward: if the victim meets the criteria – targeted country, correct User-Agent (Chrome on Windows) and proper referer – the script is inserted in the page and rewrites the compromised website on a potential victim’s browser to make the page unreadable, creating a fake issue for the user to resolve,” Proofpoint researcher Kafeine explains.
The website, however, would attempt to infect Internet Explorer users as well. As long as they met specific criteria, they were exposed to a more “classic” exploit kit attack, the researcher notes.
The attack on Chrome users relied on storing all the data between HTML tags in an array, then replacing them with “�”. Because this is not a proper ISO character, the browser would display the replacement character � instead.