A couple days ago I found a dozen or so domains using a social engineering attack like that of the RELST and HoeflerText campaigns. This attack, which I call “Roboto Condensed” for reasons that will become obvious, targets both Chrome and Firefox users. Users are likely to be redirected to these social engineering domains via malvertising, hacked sites, or links in spam emails, however, I haven’t been able to verify an actual referer yet.
Once on the domain, users are presented with a popup stating that they are missing the “Roboto Condensed” font. The message goes on to say, “the web page you are trying to load is displayed incorrectly, as it uses the ‘Roboto Condensed’ font. To fix the error and display the next, you have to update the ‘Chrome Font Pack'”. Firefox users see a similar message.
The full message for Chrome is:
The "Roboto Condensed" font was not found. The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Chrome Font Pack". Manufacturer: Google Inc. All Rights Reserved. Current version: Chrome Font Pack 54.0.2785.89 Latest version: Chrome Font Pack 60.0.3112.90
The full message for Firefox is:
The "Roboto Condensed" font was not found. The web page you are trying to load is displayed incorrectly, as it uses the "Roboto Condensed" font. To fix the error and display the next, you have to update the "Mozilla Font Pack". Manufacturer: Mozilla Corporation. Current version: Mozilla Font Pack 53.0.2785.89 Latest version: Mozilla Font Pack 60.0.3112.90
Below are images of the popups:
This is the exact same message, errors and all, used by the HoeflerText social engineering attack:
Users are then tricked into downloading and installing the missing “font” file to view the webpage properly.
Below is an example of the malware being downloaded with Chrome and Firefox:
User are given clear instructions for how to download and run the files:
The “Roboto Condensed” font was not found
To install “Roboto Condensed” font for your PC:
Download the file.
If prompted, click Run or Save
If you choose Save, double-click the file to start the installation process. We will automatically import your home page settings and browser history for you.
The malware payload being delivered depends on which “Roboto Condensed” page you’ve landed on. For example, numerous pages are dropping a XMRig CoinMiner, while others are dropping Nymaim and Ursnif. Thanks again to @Antelox for helping to ID the malware!
Additionally, many of their older domains are using a meta refresh to redirect users to a benign site after 5 seconds:
I’m guessing this was a flaw in their code. Checking their newer domains, this appears to have been fixed.
Another interesting note is that, depending on the domain you land on and the browser being used, you could end up with different payloads. For instance, one of the newer domains gives Chrome users chromefp60.exe whereas Firefox users will download mozillafp60.exe:
Note that Internet Explorer users won’t be prompted with any popup for the missing “Roboto Condensed” text but will instead be redirected to the domain within the iframe.
This iframe is also causing the user to see a page loading in the background, behind the popup:
Again, this appears to be an error as the page isn’t displaying the “scrambled text” that we should be seeing with this type of social engineering attack (shown in image 1 and 2).
Another thing to note is that, at this moment, all the malware binaries are being hosted on one hacked website. Below are hashes and the files that I’ve collected thus far. I will likely do individual write-ups that contain more detailed analysis on the infections that I find interesting.
Lastly, here is a sample of the “Roboto Condensed” landing page. It has been decoded and cleaned by my friend @irdivision:
The function check_if_chrome() is created for the purpose of examining the user-agent string and depending on the user-agent this loads the specific fake font page. We can also see that the user-agent Edge would load the same content as Chrome.
This script also contained a large hex encoded array populated with 810 items that would be used throughout the script to perform substitutions to deobfuscate other portions of itself on-the-fly. Below is a small excerpt of the strings after decoding them:
The most peculiar piece of this script was the function, include_jquery(); which quite literally included jQuery. This function utilized the obfuscated string array from above to mask the inline addition of the jQuery 3.1.0 library. Cross-referencing the code found in the malicious script, I concluded it was a custom port from the production release of jQuery 3.1.0, found here. All the functions were present from the jQuery library, some context was redefined, and the logic used for evaluations of if-statements and other tests were simplified. This could have been solved with a src attribute added to the encapsulating script tag, but this would have required that jQuery 3.1.0 was already present on the web server. Which, given the inline inclusion, was likely not the case.
Filename: chromefp60.exe – Nymaim
Filename: mozillafp60.exe – Nymaim
Filename: fontpackup.exe – Ursnif
Filename: fp60.exe – XMRig CoinMiner
Filename: fontupdate.exe – CoinMiner
Dropped the following two files:
Filename: FMAP.exe – CoinMiner
Filename: Isass.exe – CoinMiner
Password is “infected”
Until next time!