Roboto Font Condensed install malware on your computer

The new MalwareBreakdown security researcher published an analysis of a new type of SocEng (technical method of breaking into the system) forged EITest HoeflerText. When a user visits the infected site, he / she will see a message saying that the Roboto Condensed font cannot be found and requires the user to download and install this font package to view the page. If installing one of these font packages, the computer will be infected with Trojan poisoning, monitor computer activity and dig mines.

How does the attack through the Roboto Condensed font work?

To perform this type of attack, it is necessary to first hack a website and edit it so that the JavaScript code is added to each page on the website. When the script has been executed, it will make the text on the page be scrawled, looking like it is missing a font. JavaScript will display a dialog box saying that you need to download the font package to continue viewing the page.

Below is an example of this scenario.

Examples of JavaScript snippets are inserted into the web page

Visit this hacked site, you will see the word is distorted and unreadable. However, this scenario does not always work smoothly on hacked pages. For example, in the article of MalwareBreakDown, https://malwarebreakdown.com page displays text with nonsense characters.

Update Roboto Condensed font to continue viewing the page

But on another hacked page, the page still displays normal text.

The text displayed normally on the page has been hacked

If you use Chrome, the font download will be called Chrome Font Pack. If using Mozilla, it will be named Mozilla Font Pack.

Font download notification on Firefox Mozilla

Once you click Update, the script will download the file called chromefp60.exe if you use Chrome or mozillafp60.exe if you use Firefox. At that time, the alert will turn into a save guide and install the downloaded file.

Instructions for executing, installing downloaded files

However, the good news is that the download is not automatic, but the victim must install it manually to be infected. The attacker hopes that by making text distortions and pseudo-warnings from the browser about missing fonts, they can trick users into running the file. Once the file is executed, the malware will be installed on the computer.

Font Roboto Condensed installing Ursnif malicious code, digging and downloading Trojans

According to MalwareBreakDown, the attacker behind Roboto Condensed Font Pack always rotates using different types of malware. Currently, these malware include digging tools for Monero mines, Trojan.Downloaders and Ursnif computer activity tracking malware. Although no good but most dangerous malware is Ursnif.

Ursnif silently runs in the background, while recording whatever you type on the keyboard, what web page you visit or if you copy any text to the clipboard. This can cause sensitive information about commercial transactions, user names - passwords, financial information .

Because an attacker who constantly changes malware types will install them on the user's computer, it will not be surprising if we see extortion in the future.

Chrome Font Pack warning text

The "Roboto Condensed" font was not found.

Những trang web bạn đang thử tải được hiển thị không đúng Hãy sửa lỗi lỗi và hiển thị tiếp, bạn có thể cập nhật "Chrome Font Pack".
Manufacturer: Google Inc. All Rights Reserved.
Current version: Chrome Font Pack 54.0.2785.89
Latest version: Chrome Font Pack 60.0.3112.90

Mozilla Font Pack warning text

The "Roboto Condensed" font was not found.

Những trang web bạn đang thử tải được hiển thị không đúng Hãy sửa lỗi lỗi và hiển thị tiếp, bạn cần cập nhật "Mozilla Font Pack".
Manufacturer: Mozilla Corporation.
Current version: Mozilla Font Pack 53.0.2785.89
Latest version: Mozilla Font Pack 60.0.3112.90