"HoeflerText Font Wasn't Found" Malware Attack For Chrome Identified

"HoeflerText Font Wasn't Found" Malware Attack For Chrome Identified

by Gary Oldwood on 24 February 2017 · 772 views

Malware creators are becoming more and more skillful in their effort to infect our systems. A new kind of malware has appeared recently, which infects websites and tries to persuade visitors to install it in their computer by displaying a "Font wasn’t found" on Google Chrome. Make sure you read this article to  see how you can avoid becoming infected with it.

What is the “Font wasn’t found” malware?

On February 18, 2017, Mahmoud Al-Qudsi of NeoSmart Technologies came across a WordPress website that was infected by a malware. Al-Qudsi did not reveal the name of the website, for obvious reasons.

What’s characteristic in this website was that the text had been replaced by arbitrary symbols. Simultaneously, Chrome displayed a message stating that the "HoefferText" font was supposedly missing.

The "HoeflerText" font wasn't found.

The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".

1 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

How the attack works

If an unsuspected user clicks on the Update button, a file named Chrome Font v7.5.1.exe will be downloaded on his computer.

2 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

At the same time, another message will open which will try to "help" the user install the downloaded file.

3 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

At the time of this writing, Chrome does not recognize the file as malware, but it will display a warning that this file isn’t downloaded often, and may be dangerous.

4 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

By uploading the file in Virustotal for a scan, Al-Qudsi found that no one else had uploaded it before. Also, only 9 out of the 59 antivirus engines recognized it as malicious.

5 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

At the time of writing this article, there are 40 antivirus engines which have added it to their malware lists.

What makes this kind of attack dangerous?

The "font wasn’t found" attack is quite plausible to fool even relatively experienced users.

First, the HoeflerText is a real font. Regardless of its usage levels in websites, which isn’t known, it’s certainly not a name that was made up for this reason.

6 full HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

Then, in combination with the fact that the not even a single letter appears correctly, something achieved by an infection via JavaScript, a “missing font” case seems possible.

The message is also quite well-designed, and can be convincing that it comes from the browser itself. It has the correct logo, right color in the update button, while its grammar and spelling have no serious problems.

For those using Chrome in English, nothing seems particularly strange.

The only real anomaly is that the message states that the user’s current version of Chrome is 53.0.2785.89, which is a fixed number, regardless of the real version that is currently installed.

2 large HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

Most users, however, aren’t aware at any given moment the current version of Chrome which is running, especially since updates are frequent and are performed automatically. Chrome’s version can be found by clicking on the three-dots-icon (9 full HoeflerText Font Wasnt Found Malware Attack For Chrome Identified) located at the end of the browser’s toolbar, and then navigating to Help -> About Google Chrome.

7 full HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

This will take you to a page which shows Chrome’s current version, and whether there are any updates available.

10 full HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

Alternatively, you could just type chrome://help in the browser’s address bar and hit Enter- you will be taken to the same page.

At the time of writing this article, the latest version of Google Chrome is 56.0.2924.87. If you’re running an older version, Chrome will let you know that there is a newer version available, if you navigate to the aforementioned page.

Additionally, according to infected users, this malware, once installed, will encrypt documents located in your hard drive. This means that it belongs to the ransomware category of malware, which will ask for ransom in order to unlock the encrypted files.

11 full HoeflerText Font Wasnt Found Malware Attack For Chrome Identified

Am I in danger of the “Font wasn’t found” attack?

Even though this attack is not widely spread, there are cases reported by users in which they either got their systems infected by downloading the malware, or they had their WordPress website infected with it.

Thus, make sure that you never download and install files (especially executables) that you don’t trust; what you could do in these cases, is perform a quick search in the internet to find out more about the possibly harmful file. Also, website administrators should always keep their software updated, so as to never be vulnerable to known vulnerabilities.

Don’t let silly malware attack attempts outsmart you! Let us know your experiences with malware in the comments section below!

Comments (1)
alice68 on 24 Feb 2017
The binary will not be named "Chrome Font v7.5.1.exe". The version, which is here 7.5.1 is generated base on your IP address. Also, it is irrelevant to say that the malware is detected at 9/59, because they are changing it every hour or so. See https://blog.brillantit.com/exposing-eitest-campaign/ for a detailed analysis of the threat.
Featured Articles