A couple days ago I found a dozen or so domains using a social engineering attack like that of the RELST and HoeflerText campaigns. This attack, which I call “Roboto Condensed” for reasons that will become obvious, targets both Chrome and Firefox users. Users are likely to be redirected to these social engineering domains via malvertising, hacked sites, or links in spam emails, however, I haven’t been able to verify an actual referer yet.
Once on the domain, users are presented with a popup stating that they are missing the “Roboto Condensed” font. The message goes on to say, “the web page you are trying to load is displayed incorrectly, as it uses the ‘Roboto Condensed’ font. To fix the error and display the next, you have to update the ‘Chrome Font Pack'”. Firefox users see a similar message.
The full message for Chrome is:
The "Roboto Condensed" font was not found. The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Chrome Font Pack". Manufacturer: Google Inc. All Rights Reserved. Current version: Chrome Font Pack 54.0.2785.89 Latest version: Chrome Font Pack 60.0.3112.90
The full message for Firefox is:
The "Roboto Condensed" font was not found. The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Mozilla Font Pack". Manufacturer: Mozilla Corporation. Current version: Mozilla Font Pack 53.0.2785.89 Latest version: Mozilla Font Pack 60.0.3112.90
Below are images of the popups:
Image 1: Roboto Condensed domain viewed with Chrome
Image 2: Roboto Condensed domain viewed with Firefox
This is the exact same message, errors and all, used by the HoeflerText social engineering attack:
Image 3: Error in the writing shows “next” but it should be “text”. Image taken from BleepingComputer.com.
Users are then tricked into downloading and installing the missing “font” file to view the webpage properly.
Below is an example of the malware being downloaded with Chrome and Firefox:
Image 4
Image 5
User are given clear instructions for how to download and run the files:
The “Roboto Condensed” font was not found
To install “Roboto Condensed” font for your PC:
-
Download the file.
-
If prompted, click Run or Save
-
If you choose Save, double-click the file to start the installation process. We will automatically import your home page settings and browser history for you.
-
Reboot
The malware payload being delivered depends on which “Roboto Condensed” page you’ve landed on. For example, numerous pages are dropping a XMRig CoinMiner, while others are dropping Nymaim and Ursnif. Thanks again to @Antelox for helping to ID the malware!
Additionally, many of their older domains are using a meta refresh to redirect users to a benign site after 5 seconds:
Image 6: meta refresh redirect
I’m guessing this was a flaw in their code. Checking their newer domains, this appears to have been fixed.
Another interesting note is that, depending on the domain you land on and the browser being used, you could end up with different payloads. For instance, one of the newer domains gives Chrome users chromefp60.exe whereas Firefox users will download mozillafp60.exe:
Image 7: iframe loads another page
Note that Internet Explorer users won’t be prompted with any popup for the missing “Roboto Condensed” text but will instead be redirected to the domain within the iframe.
This iframe is also causing the user to see a page loading in the background, behind the popup:
Image 8: Images in the background from another domain
Again, this appears to be an error as the page isn’t displaying the “scrambled text” that we should be seeing with this type of social engineering attack (shown in image 1 and 2).
Another thing to note is that, at this moment, all the malware binaries are being hosted on one hacked website. Below are hashes and the files that I’ve collected thus far. I will likely do individual write-ups that contain more detailed analysis on the infections that I find interesting.
Lastly, here is a sample of the “Roboto Condensed” landing page. It has been decoded and cleaned by my friend @irdivision:
A few quick notes about what this JavaScript file was doing.
The function check_if_chrome() is created for the purpose of examining the user-agent string and depending on the user-agent this loads the specific fake font page. We can also see that the user-agent Edge would load the same content as Chrome.
This script also contained a large hex encoded array populated with 810 items that would be used throughout the script to perform substitutions to deobfuscate other portions of itself on-the-fly. Below is a small excerpt of the strings after decoding them:
The most peculiar piece of this script was the function, include_jquery(); which quite literally included jQuery. This function utilized the obfuscated string array from above to mask the inline addition of the jQuery 3.1.0 library. Cross-referencing the code found in the malicious script, I concluded it was a custom port from the production release of jQuery 3.1.0, found here. All the functions were present from the jQuery library, some context was redefined, and the logic used for evaluations of if-statements and other tests were simplified. This could have been solved with a src attribute added to the encapsulating script tag, but this would have required that jQuery 3.1.0 was already present on the web server. Which, given the inline inclusion, was likely not the case.
Hashes:
SHA256: 8e2ccc05e4d3bf6b2cf80c6496253dd65e5cb2ae8e650508a4589530d7645562
Filename: chromefp60.exe – Nymaim
SHA256: 19699d486840e392aa9b9630ab5df16233cca09230d7da30b60bb60cf973150c
Filename: mozillafp60.exe – Nymaim
SHA256: d62d1e7dbb0ccdd73b83ffc1084632b8c36783df50e187a8e482a3f89ee482f4
Filename: fontpackup.exe – Ursnif
SHA256: c126d308e4c6c7e31ecffed9e235e8ff5bddd77924a08eed9e8b0bb4e7d7d0ed
Filename: fp60.exe – XMRig CoinMiner
SHA256: 4de7048d4ab1e1d82cad37354945e1a41afe39eb6ef84668f381e0ddb6dfc357
Filename: fontupdate.exe – CoinMiner
Dropped the following two files:
SHA256: 05eb541be4bc41ad5adc4d4eeda9146d9a0efef4b56e36fe0436ab7cd0a85974
Filename: FMAP.exe – CoinMiner
SHA256: 1d8790d659dc24c2a67b56b6b4104b84eb5d33ce49249332479a26c834408065
Filename: Isass.exe – CoinMiner
Downloads:
Malware samples.zip
Password is “infected”
Until next time!
Malware breakdown 