Although Bitdefender already sent ahead a GandCrab decryptor, the GandCrab affiliates are already adopting new techniques to continue spreading the ransomware. The malware traffic analysis entity, nano_sec, found out that GandCrab was being distributed through the use of EITest, as a part of the scam labeled HoeflerText Font Update.
Should the browser show the pop-up, and the user clicks on it, it will begin to download a file named Font_Update.exe. This is the file which contains the GandCrab Ransomware. Any.Run, which is a malware analysis sandbox-based site, has a video on it which shows the effects of the ransomware, when it is installed by a user.
Netsupport Manager Remote Access Utility also pushed by EITest
When nano_sec provided the site, which I then tested; instead of facing the GandCrab scam, I had the Netsupport Manager remote access utility downloaded and installed on to my system. It is the belief of nano_sec that depending on the visitor’s location, the sort of payloads which are distributed can differ.
As I experienced, when Font_Update.exe gets executed, it extracts and runs an obfuscated g.js file. The g.js script then connects to a remote site and starts to download any number and type of files on to the computer, which has now been fully infected.
These files are for the aforementioned Netsupport Manager remote access utility. They are downloaded in a folder named tokipp, by the name %AppData%. One very important point to note is that the Netsupport Manager remote access utility is not actually maliscious. In fact, it is legitimate in its purpose, however, it is currently being used in a negative light by hackers.
Once all of the files are downloaded, the client32.exe program will be executed and the attackers will be able to gain access to the infected computer.
In conclusion, it is vital for the users to not download any such data or font pack that pops up randomly, in order to avoid the ransomware. Be it any browser, it is advised to immediately close all windows and not to visit the questionable site again.