Spora ransomware disguises under fake Chrome Font Pack update

It is no surprise that cyber racketeers manifest their creativity by exploiting various Windows and Mac features, services, networks and browsers for their misdeeds.[1] Now the time has come for Chrome. IT expert, Brad Duncan, has detected that Spora ransomware, which is gaining notorious popularity in the cyber field, tries to infiltrate users‘ devices via counterfeited Chrome Font Pack update. The entire technique is as sophisticated as the very Spora threat. Chrome browser is one of the most popular browsers[2] used worldwide which suggests that the authors of this elaborate crypto-malware aim high. Due to the range of the cyber campaign, the very threat resembles Locky virus. Thus, the main dilemma arises: is it possible to escape this cyber misfortune?

Exploit kits are earning popularity among ransomware developers. In contrast to spam emails, which still guarantee fewer chances of success, this method is less detectable but instead provides more flexibility. Luckily, a vigilant eye of the virus researcher spotted the virus under disguise. Spora ransomware uses EITattack to initiate the infiltration processes. The cyber villains choose poorly protected domains to plant a corrupted javascript code. Consequently, these web pages turn out to be unreadable as strings of source code are displayed. In order to remove such inconvenience, the hackers propose installing “Chrome Font Pack.” Users are redirected to another domain which states that HoeflerText font wasn’t found.[3] Once the pop-up window emerges, the victim is supposed to enable the installation of the update.exe file. Needless to say that all these messages are presented in the veneer similar to Chrome’s pop-up notifications.

Chrome users get targeted again

Luckily, even if you happen to visit such compromised website, you can manually cancel these messages and thus avoid the attack. Interestingly, that Spora ransomware, which, in fact, might be the same Cerber ransomware under disguise, uses the same EITest technique as CryptoShield 1.0 virus – the latest version of CryptoMix. There are many speculations whether the creators of Locky and Cerber have joined forces or the same gang is behind these attacks. Legitimate websites are becoming a more prevalent hackers’ tool. Last year the website of a popular Chinese restaurant served ransomware instead of explicit menu.[4] These events remind us that personal vigilance plays an important role in ensuring cyber security. Even if you have several top-rated security applications, you might experience the destructive outcomes of the ransomware simply by carelessly enabling suspicious browser extensions or opening corrupted spam email attachments.[5]

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

Read in other languages