Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts. This one relies on using JavaScript to change the text rendering, causing it to resemble mis-encoded text with symbols and rubbish in place of the content, then prompts the user to update “Chrome’s language pack” to fix the problem.

Here’s a screenshot of the initial step of the ploy:

And here’s the prompt up close:

This attack gets a lot of things right that many others fail at. The premise is actually believable: the text doesn’t render, and it says that is caused by a missing font (HoeflerText, which is a real font, by the way!), which it then prompts you to download and install.

The usage of a a clean, well-formatted dialog to present the message with the correct Chrome logo – and, more importantly, – the correct shade of blue for the update button. The shape of the update button seems correct, and the spelling and grammar are definitely good enough to get a pass.

At the same time, there are some tell-tale signs for the paranoid careful.1 My browser string is easily accessible via window.navigator.userAgent and exposes the correct version of Chrome (Chrome/56.0.2924.87), but the dialog has version 53 hard-coded in there. Personally, I’d also have omitted the Ⓧ in the corner, as that’s the only part that seems out of place in the prompt.

Clicking ‘Update’ (merely out of curiosity!) results in a file “Chrome Font v7.5.1.exe” to be downloaded, and the webpage morphs to “helpfully” encourage the user to run the virus:

At this point, the quality of the social engineering attack takes a nosedive, as do its chances of success. While Chrome does not catch the download as being malicious,2 it is however blocked by the “this file isn’t downloaded very often” warning (which I personally – speaking as someone lucky enough not to be affected by this – despise as it does impose a rather hefty and unfair bar on independent software developers).

The image in the popup dialog contains several discrepancies, but first, here it is blown up:

The blurring in the dialog is not from me – that’s how it was presented. It shows a UAC prompt to run a signed executable, which the download most certainly is not. The name of the file in the “help image” is Chrome_Font.exe, while the downloaded file is called “Chrome Font v7.5.1.exe” (which doesn’t match the so-called “new version” from the first popup dialog, but that’s easily forgivable). It does not reflect the “not often downloaded” error that is seen, which makes it highly unlikely that the file can be accessed. Also, the download does not have a file icon, whereas giving it the Chrome icon would have been trivial.

All that aside, the file in question is not caught by Windows Defender or Chrome as being malicious. An upload to VirusTotal reveals it as never-before-seen, with only 9 out of the 59 antivirus scanners in its database correctly identifying the file as malware, and most only via heuristics at that:

Now you know. Be careful and safe browsing!