Fake HoeflerText font update delivers GandCrab ransomware

EITest spreads GandCrab ransomware via HoeflerText Font Update scam

GandCrab – one of the most aggressive ransomware viruses that managed to attack more than 53,000 of PCs and collect more than 600, 000 USD from its victims does not seem to stop its activity even though BitDefender cracked its code and released a free decryptor.^[1]

At the beginning of March 2018, malware traffic analysis known as nao_sec^[2] revealed a new technique actively used for GandCrab distribution. The infamous EITest “The HoeflerText font wasn’t found”^[3] scam campaign.

“The HoeflerText font wasn’t found” is an infamous scam technique, which occurred at the beginning of 2017 was known for carrying Spora ransomware^[4] payload and the Fleercivet Ad Clicking Trojan. The scam turned out to be hugely successful since potential victims quickly fall for the trick.

Hackers apply intricate scheme to run GandCrab ransomware payload

“The HoeflerText font wasn’t found” scam is a never-seen-before strategy that tricks people into installing a HoeflerText Font Update, which has nothing in common with a text font. It's a fake update, which is generated by a compromised website infected with a malicious JavaScript code. It occurs on the hacked sites^[5] only, which can be accessed when people type website URL incorrectly or gets redirected to it by clicking on a malicious pop-up.

Hoefler text font scam pop-up says:

The “HoeflerText” font wasn't found.

The website you are trying to load is displayed incorrectly, as it uses the”HoeflerText” font. To fix the error and display the text, you have to update “Chrome Font Pack”.

ManuFacturer: Google Inc. All Rights Reserved
Current Version: [version number]
Latest version: [version number]

If the potential victim clicks the Install button, the Font_Update.exe file is being downloaded to the system. However, this file is not the ransomware itself. It's an executable file of the g.js script. Depending on the victim's location, the script connects to a remote website and starts downloading apps and files.

According to nao_sec analysis, the script downloads the NetSupport Manager remote access utility,^[6] which, in fact, is a legitimate tool exploited by hackers for malicious activities. Finally, when Font_Update.exe with the g.js script finishes downloading files required for GandCrab ransomware injection, the client32.exe file is being executed and enabled hackers to transmit the virus remotely.

Standalone installer of HoeflerText font update should not be run; Update Google Chrome instead

HoeflerText font update is not legitimate. At least the one that shows up on suspicious websites that contain scrambled text. Even though the whole situation seems realistic, note that Google Chrome is not spreading official Text Font Updates anymore. For this purpose, Google releases Chrome's updates regularly with all applied changes in one place.

Mozilla Firefox is not immune to the fake “Hoefler text font wasn't found” scam as well. Since May 2017, scammers started using this alert for tricking people into installing fake “Mozilla Font Pack” which executes Zeus Panda^[7] banking trojan. Although Mozilla Firefox hasn't been reported for spreading GandCrab crypt-malware yet, its users should also be cautious.

GandCrab keeps attacking PCs even though its free decryptor is already available

BitDefender^[8] started distributing a free GandCrab decryptor at the very beginning of March 2018. The company along with Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol initiated a consolidated security campaign and managed to crack the code and released an official GandCrab decryptor as a part of No More Ransom project.

Although ransomware developers admitted that they have eventually been hacked after two months of proliferation and released decryption tools for most of the victims, they do not seem to stop.

GandCrab is still being offered as a Ransomware-as-a-Service (RaaS) and attacks unsuspecting PC users via “The HoeflerText font wasn’t found” pop-ups. Once the ransomware is executed, it starts data encryption and locks all most popular file types by opening the .GDCB file extension to each of them.

It also creates a GDCB-DECRYPT.txt file, which stands for a ransom note. It instructs the victim to pay 1.54 DASH ransom, which is equal to 1200 USD and urges to contact the developers via [random_name)@cdkconstruction.org email address.

GandCrab virus is also distributed via malicious emails, which contain PDF or DOC, which runs a PowerShell script and creates an exploit file (sct5.txt).

To prevent cyber attacks, it's crucial to keep a reputable security tool installed and update it regularly. Besides, avoid any interaction with suspicious-looking ads and other content. Visiting illegal websites, including gambling or port sites, poses a risk of drive-by-download and similar attacks.

Note that GandCrab is referred to as “one of the most aggressive forms of ransomware so far this year,” so you'd better try to evade its attack.