Firefox users at risk of banking Trojan

By Balamurugan Selvaraj Published on May 09, 2017 02:57 PM IST

Have you ever noticed abnormal web activity while you browse something using Firefox or Chrome? If you did, then there is chance of your PC getting infected with the ongoing scam campaign.

Recently, ‘The HoeflerText font wasn’t found’ - a malicious scam campaign - threatened several Firefox users, asking them to instal a font package from the server. But actually, it is not a font package, but a banking Trojan named Zeus Panda.

Earlier, the actors threatened Chrome users with the same malicious campaign and made many users instal the fake font package with Spora Ransomware. Now, attackers have revamped and redesigned the same campaign to target Mozilla users.

Proofpoint security researcher Kafeine said, "This time, the campaign has been re-designed to target Mozilla Firefox users with a banking Trojan, called Zeus Panda. The horrible mistake made by the hackers, who were behind this campaign, failed to rename the name of the font pack in Firefox. Because of this flaw, the malicious scam campaign has been easily spotted by the researchers."

HOW THE CAMPAIGN WORKS

While you’re browsing something on your Firefox browser, similar to ad campaign, your handler will land into suspicious website with jumbled content, which will ask you to update the Firefox font pack by downloading a missing text font to read the article.

This pleasing message will tempt people to update their ‘Mozilla Font Pack’.

Obviously, when the user clicks on the web page, it downloads Mozilla_Font_v7.87.zip from the malicious website to the victim’s computer with a javascript file.

In the meantime, a set of instructions to instal the package will be displayed via the browser’s screen. It asks the user to run the JavaScript file to instal the missing font pack. As soon as the download is done, the software will download the malware payload (.exe) from a remote server. And it automatically runs it and inject the Zeus Panda, banking Trojan into the targeted system.

Last year, researchers found this banking Trojan, which had targeted banks in Europe and North America and later spread itself towards Brazil through three different exploit kits, including Angler, Nuclear and Neutrino.

After infecting the computer, the Trojan contacts the command and control (C&C) server and sends the information about the victim from the device, including a list of anti-virus and firewall installed on the PC.

And the Trojan’s main aim is to steal the user’s bank credentials including information about bitcoin exchanges, payment card services and online payments providers, prepaid cards, airline loyalty programmes and online betting accounts.

To avoid such scams, be careful with what you download.  Be precise with your actions. Maintain an updated anti-virus package installed on your PC and don’t believe those malicious scam campaigns which will persuade you to update your Mozilla or Chrome font pack.