Most threats like this are pretty easy to spot. The logo is wrong or the file that is “compromised” is not really a file or it just does not look clean…not the case here. They nailed it.
If you click the button, you get this screen:
It comes complete with a User Access Control (UAC) prompt to run a signed program. The name of the file in the task bar is Chrome_Font.exe, but the downloaded file is called “Chrome Font v7.5.1.exe.”
The file is not identified by Windows Defender or Chrome as being malicious. Only 38 out of 59 antivirus scanners tested correctly identified the threat.
Symantec finds it as: ML.Attribute.HighConfidence
The virus seems to monitor the infected system for a particular set of criteria. When met, it may then perform any or all of the following actions:
- Download and execute additional files or BAT scripts
- Inject code into svchost.exe to hide itself
- Gather geolocation data
- Force the compromised computer to click on ads through Internet Explorer without the user’s knowledge
- Begin browsing sites in the background
The user remains uninfected until such time as the downloaded executable is run.
As always, if you have any questions about something odd, please contact us.