New Threat for Chrome Users

Call Gnosys today for your free consultation! 352.870.2034

New Threat for Chrome Users

New Threat for Chrome Users

As if there were not enough to worry about on the web. Today I became aware of a new Chrome “hack” that injects a JavaScript into legitimate but poorly secured websites. The script changes the way text is rendered on the page and makes the characters look like garbage symbols. The user is then prompted to update Chrome’s language pack.







Most threats like this are pretty easy to spot. The logo is wrong or the file that is “compromised” is not really a file or it just does not look clean…not the case here. They nailed it.

If you click the button, you get this screen:






It comes complete with a User Access Control (UAC) prompt to run a signed program. The name of the file in the task bar is Chrome_Font.exe, but the downloaded file is called “Chrome Font v7.5.1.exe.”

The file is not identified by Windows Defender or Chrome as being malicious. Only 38 out of 59 antivirus scanners tested correctly identified the threat.

Symantec finds it as:  ML.Attribute.HighConfidence

The virus seems to monitor the infected system for a particular set of criteria. When met, it may then perform any or all of the following actions:

  • Download and execute additional files or BAT scripts
  • Inject code into svchost.exe to hide itself
  • Gather geolocation data
  • Force the compromised computer to click on ads through Internet Explorer without the user’s knowledge
  • Begin browsing sites in the background

The user remains uninfected until such time as the downloaded executable is run.

As always, if you have any questions about something odd, please contact us.