HoeflerText isn't installed. Really?

Ransomware. The buzzword that's been talked about as the greatest threat to humanity by security service vendors for the past two years in the hopes that this would motivate our customers to invest more in security solutions. Don't get me wrong, the threat presented by ransomware is very real, it's just that the word has been worn out to the point that it doesn't grab our attention anymore.

Still, one of the new types of ransomware that we've been running into recently impressed me so much with its distribution approach and ability to avoid detection that I simply have to bring it up.

How does it infect the user?

We use our favorite Google Chrome browser to visit a web page. The page displays, for the most part, but the text seems to be corrupted. What is this, Chinese text? No, these characters are different. It's a good thing that my trusty Google Chrome browser is so useful and practical, that it immediately offers the missing font I need to install. I give the installation window a quick once-over, and nothing stands out, it seems legitimate enough, so there's no reason for me not to click the browser update button. A few moments later, I'm faced with a new problem, all my files are encrypted, and I'm once again sorry that I wasn't maintaining a backup of the files on my computer.


How is this even possible?

The attacker first decided to target the server that hosts a legitimate website, and then takes control of the server. In this particular case, the attacker abused a vulnerability in an outdated version of WordPress. The attacker then changes the content of the web page by injecting the HTML content with their own JavaScript code. This script executes in the browser and changes the encoding of individual characters (fonts) and, in doing so, corrupts the display of the website's information. The code also only changes the website content for those users who are using the Chrome browser. The next thing the script does is display a popup window, informing the user that the HoeflerText font cannot be found, and offers the installation. Clicking the “Update” button downloads an .exe executable file to the visitor's computer, letting the user know that installing it will solve the apparent website content problems. Rather than do what it claims, the program instead includes code that can have any number of consequences for the web visitor's device. In this particular case, the attacker installs the Spora ransomware.

I should point out that ransomware, as we've known it in the past, established a connection to an external server (Command & Control server) before it began encrypting files. It used this C&C server to agree on an encryption key, which would later be used to decrypt the files. If this key could not be received, the encryption didn't execute. Those who prevent attacks for a living used this connection as a way to protect ourselves from the impact of most ransomware. In case a threat somehow succeeded to download onto the network, we could still use firewalls to block return connections to C&C servers and disarm them.

Spora is a new type of ransomware that was first detected at the beginning of this year. The key difference between the mentioned type of attack and the usual easily discovered threats is that Spora doesn't generate any network traffic or connect to C&C servers. The symmetric key that was used in file encryption process and is also needed to unlock the files is generated on the target workstation, encrypted with the attacker's public key, and logged into a local file. If the user decides to pay the ransom, they send the demanded BitCoins and the file with the encrypted symmetric key to the attacker. The attacker then decrypts the symmetric key needed for the decryption of the files with his own private key and returns it to the user.

What makes this threat particularly effective?

The reason for this attack's effectiveness lies in the fact that it lies in wait on a legitimate website, from which we don't expect to be attacked. Perhaps we've visited the website multiple times before, and have learned to trust it. Furthermore, the pop-up window seems perfectly authentic at first glance, and it's not easily identified as a malicious attack. The user might become suspicious when warned by the browser that this file isn't commonly downloaded, but as we're talking about a legitimate website, even experienced Internet users are likely to be less attentive.

It's also quite hard to protect against this threat because it often changes forms on its own. The piece of the code that executes file encryption is itself encrypted and only assumes its executable form once it's run. This makes it very hard for antivirus applications to recognize the threat.

How about sandboxes?

The most advanced form of protection against malicious code today is called a sandbox. There are purpose-built devices, which run virtual environments (such as Windows Server 2012) in an isolated environment. An unknown file, which we wish to check in the sandbox, is executed in a virtual environment. The activity of the file and its actions after being executed allow the sandbox to recognize malicious code patterns (such as establishing connections, creating processes, altering files, changing registry keys, etc.) and decide whether the file is considered safe or not.

This is why advanced malicious packages include controls that allow them to bypass a sandbox environment, primarily by detecting that they're being inspected in one. For example, the sandbox usually runs a separate virtual machine for each file it inspects. Attackers have analyzed sandboxes and figured this out, so now malicious code includes a new control. It identifies the age of the system on which it's being executed, and if the system is only a few minutes old, no actions are taken – no files are encrypted. This is why the sandbox decides that the file is inert, and sends it on to the user for execution. This flaw was patched, of course, but the case serves as a reminder of how innovative attackers are, and how they keep looking for and finding ways to identify sandbox file execution.

Spora is one of the examples of threats, which detect execution in sandboxes, making it that much harder to detect.

Who's the victim and who's the attacker?

In attacks, in which malicious code spreads through email, it's easy to identify that the attacker is the sender of a malicious email, and that the (intended) victim is the recipient of the email. In the case that I described above, however, the first victim of the attack was the host of the website, which was abused to distribute the files. In some way, the original victim now became the attacker, spreading malicious code to end-targets. The cost that might be incurred by the owner of the website includes a significant loss of reputation with business partners and customers, and it might be higher than the financial cost of paying the ransom to the attackers.

How can we protect ourselves?

The owners of websites can protect their websites against unauthorized changes by regularly updating their software, and adding new security mechanisms (next-generation firewalls, Web Application Firewall…). The website of the company initially targeted is based on the WordPress platform, which includes standard administration access pages. With websites like this, the crucial security measure is one of access limitation – the access to administration pages must be limited to users and devices within the corporate network. This blocks automated systems (bots), which scour the Internet for commonly used platforms and break into them through known vulnerabilities.

Identifying the threat on the user's side is a different matter altogether. The technical means to do so are often ineffective, and the best thing users can do is to maintain a skeptical attitude of all websites, including those they're familiar with. Special care should also be taken with any executable files, especially when the browser displays a warning that the downloaded file lacks a valid issuer signature or that it's not commonly downloaded. There are tools available online that allow you to check files in a sandbox environment, but as threats become increasingly more sophisticated, these methods of identification are also not 100% reliable.

Whenever you come across any suspicious behavior online, it's best that you turn to a qualified professional for assistance. This might mean the IT department in your organization, or you could simply use Google to check whether other people have faced a similar problem before. The first results displayed for a search of “HoeflerText” very clearly inform the user of the dangerous nature of this case, and describe in some detail the way this ransomware can cause damage to your system. As of today, this article is added to the long list of warnings that can be found. The one thing a user should never do, as we all know, is blindly click Next, Yes, and OK. 

The cyber security landscape has gone through very fast changes over the last year. One of the key safety measures remains a good level of knowledge about new developments, and new forms of attack on users and applications detected in the wild.