At the beginning of the year, it was already a well-documented infection chain that generally relied on compromised websites to direct users to exploit kit landing pages. EITest has also been used to deliver a variety of ransomware, information stealers, and other malware, and its footprints can be found going back as far as 2014.

Those behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser, and in recent months, the malware used has been ransomware such as Spora and Mole.

But by late last month, EITest had begun pushing a different type of malware, as recent samples have been shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT), according to security vendor Palo Alto Networks, which is significant because it indicates a potential shift in the motives. Malware is now being sent under the file name “Font_Chrome.exe,” and rather than being ransomware, they are file downloaders.

Palo Alto Networks said victims who use Microsoft Internet Explorer will get a fake anti-virus alert with a phone number for a tech support scam, while victims using Google Chrome as will get a fake HoeflerText popup that offers malware disguised as Font_Chrome.exe. The company advises users to be suspicious of popup messages in Google Chrome stating “The ‘HoeflerText’ font wasn’t found.” And because this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection.



Related Download
The SMB IT Reseller Landscape in Canada: A Time of Transition Sponsor: GoDaddy
The SMB IT Reseller Landscape in Canada: A Time of Transition
IT World Canada recently conducted a survey and interviews of Canadian resellers. The study, sponsored by GoDaddy, reveals that Canadian SMB resellers have taken great strides forward to adapt to the digital era.
Read More