Can “HoeflerText” pop-ups bring Locky ransomware?


Just recently, we discussed a massive spam campaign that served approximately 23 million ransomware-laden email letters. Locky crypto-virus was the infection that hackers were attempting to distribute. Despite being great in the amount of sent infectious letters, this strategy was not unusual for Locky, or ransomware samples in general. Deceptive emails are one of the most popular techniques of distributing malware. However, tactics that are not so straightforward are also occasionally adapted to transmit crypto-viruses.

“HoeflerText” pop-up: what is it and what can it do?

“HoeflerText” pop-up has been around for quite some time and it has always been observed as a trouble-maker. In a variety of cases, crypto-viruses had been distributed via these alerts. To be more clear, we have to emphasize that presented messages did not contain actual payloads of ransomware. Instead, they only distributed downloaders, ready to implant ransomware viruses soon after arrival into operating systems.

“HoeflerText” pop-up transmits malware

Although security experts do warn that notifications from unknown sources can indeed infect people with all sorts of malware samples, people tend to neglect this warning.

If you are a user of Google Chrome or Mozilla Firefox, you might have noticed this pop-up, stating that the page about to be accessed won’t be presented correctly due to a flawed “HoeflerText” font. On the other hand, people who enjoy exploring the Internet via Internet Explorer and Microsoft Edge will be introduced to different pop-ups even though the same malicious websites are visited. To our knowledge, IE and ME will display technical support scams.

To fix this issue, notification in Chrome and Mozilla will urge people to update their “Chrome Font Pack”. If user agrees to click on the “Update” button, he or she will implant Win.JSFontlib09.js which is actually a JavaScript file. Unfortunately, the file will proceed to function as a downloader, implanting Locky ransomware into an operating system. From this point, the course of events will be very unfortunate for victims. Majority of files from hard drives are going to be encoded and people won’t be able to access them properly.

However, this is not the only disturbing virus that the “HoeflerText” pop-up can be distributing. As it appears, NetSupport Manager Remote Access Tool can be implanted into devices as well after the “Update” button is clicked. Brad Duncan from Palo Alto Networks is the security researcher who posted a blog post, explaining the discovery about websites, impacted by EITest campaign.

His focus was directed towards the fact that “HoeflerText” pop-up did not transmit ransomware, but RAT. According to the researcher, this strategy might more beneficial to hackers and has more prospects. Therefore, you hope you won’t be tempted to download updates that these pop-ups suggest!



About the author

 - Virus researcher

I’m a virus researcher and my field of specialization involves but is not limited to the newly-developed ransomware variants. In my opinion, crypto-viruses are highly-underestimated and some Internet users have very few opportunities to learn about their symptoms before it is too late. Our goal here in is to make sure that crucial information about the most relevant malware samples would be available for everyone.


Leave a Reply

Your email address will not be published. Required fields are marked *