At the beginning of the year, it was already a well-documented infection chain that generally relied on compromised websites to direct users to exploit kit landing pages. EITest has also been used to deliver a variety of ransomware, information stealers, and other malware, and its footprints can be found going back as far as 2014.
Those behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser, and in recent months, the malware used has been ransomware such as Spora and Mole.
But by late last month, EITest had begun pushing a different type of malware, as recent samples have been shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT), according to security vendor Palo Alto Networks, which is significant because it indicates a potential shift in the motives. Malware is now being sent under the file name “Font_Chrome.exe,” and rather than being ransomware, they are file downloaders.
Palo Alto Networks said victims who use Microsoft Internet Explorer will get a fake anti-virus alert with a phone number for a tech support scam, while victims using Google Chrome as will get a fake HoeflerText popup that offers malware disguised as Font_Chrome.exe. The company advises users to be suspicious of popup messages in Google Chrome stating “The ‘HoeflerText’ font wasn’t found.” And because this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection.