![font pack 2019 font pack 2019](https://www.comscidev.com/wp-content/uploads/2019/09/2019-09-04_10-20-57.jpg)
The variable oneTimeShow, sets the frequency with which the script functions. When the variable is set to False, there are no changes to the website. For this to happen, the variable must be set to True. As a result, in this particular campaign, we could only identify an infection designed for the Windows operating system.Īs mentioned above, when the script is working website contents are visually distorted - this is what the variable var bugs does. The variable var linkMobile creates a link to an app for mobile devices (the link is not active in this particular case). The variable var startTime sets the time (in milliseconds) after which the user will be shown a fake window. Our analysis revealed that, since November 2020, FontPack has infected at least 20 websites, including six that were involved in one campaign. When successful, threat actors were able to collect their victims' credentials, autocomplete field data, and bank card information. Let us focus on one campaign whose goal was to deliver the RedLine stealer to victim devices. According to our data, multiple unconnected hackers use the tool. Threat actors decide what particular fake to show their victim and how often to do so by changing relevant variables in the script code.
FONT PACK 2019 CODE
The code name used by our team, FontPack, is based on the decoy methods employed in the campaign we will analyze in this report.
FONT PACK 2019 UPDATE
The scripts imitate a website crashing and display a message saying that users must update their software, e.g., the browser, Adobe Flash Player, or fonts. All we know so far is that the page is hosted on compromised websites by injecting JS scripts. You will see what this page distributes and how it does so, as well as learn other interesting things that Group-IB has uncovered.įirst and foremost we need to find out who is behind the landing page, down to the specific hacking group or particular threat actor. Today Nikita Rostovtsev, an analyst at Group-IB Threat Intelligence, will show you attribution in practice by examining a malicious landing page that Group-IB specialists are tracking as FontPack. The number of unique malicious programs is decreasing while affiliate programs (collaborations between threat actors) are on the rise, with the number and quality of attacks both going up. Attribution is our main focus here at Group-IB Threat Intelligence & Attribution, and it becomes harder every year.