Missing font cryptolocker malware

I had an interesting and I believe novel crytolocker campaign today. It started out with a lot of users receiving alleged copyright infringement notices, stating they had used copyright material in classroom environments (targeting .edu users, obviously)

malware-email

The email had a .zip attachment, containing a PDF. A lot (maybe 5%) of recipients were suspicious and let us know, which initially made us think the campaign was a lot larger than we thought.

Running the .zip and .pdf through virustotal and malwr was puzzling though – no result at the time.

Opening the PDF I could see no network traffic. It just opened and displayed, albeit showing a warning about a missing font.

pdf-missing-font

Initially we thought either highly advanced 0day, or bungling crooks who forgot to include exploit code, however we soon had a report of cryptolocked files that correlated with a received email. Further investigation and talking with other techs flagged the missing font, which lead to searching for that missing font:

The second result is the compromised site serving malware

The second result is the compromised site serving malware

zip-contents

So the exploit was actually in the font, which you had to google search to find!

Malwr failed opening the zip file. Not sure if this is by design or a happy coincidence for the malware writers. Virustotal finds the malware though.

I find this pretty cool – at a guess the font website with decent google rankings must have been compromised at some point, after which the PDFs were crafted with the missing font. Exploitation rate is obviously a lot lower since the end user has to be bothered to search and then install the font, but then again coverage was a lot higher, since mail filters did not block the clean pdf attachment. Also means we may see a lot more known sites compromised and used for this sort of thing, rather than just the /sd89dens/sd89dens.exe style cryptolocker URLs we’ve seen so far.

I think we may end up seeing a lot more like this (needless to say, I’ve now blocked the entire domain)