'Google Chrome Fatal Error!' Pop-Ups

The 'Google Chrome Fatal Error!' pop-up windows, as well as their versions for Mozilla Firefox and Internet Explorer, are generated on websites like securityfalse[.]ga. These websites are used to promote access to uncertified computer support services and convince users to download and run corrupted files. Reports from platforms like Malware-traffic-analysis.net and various AV companies suggest that the group dubbed 'ElTest' is running a massive campaign on the Internet that involves the usage of fake 'Google Chrome Fatal Error!' security warnings and 'The "HoeflerText" font wasn't found' notifications. The ElTest campaign is reported to disperse threats like the CryptoShield 2.0 Ransomware and the Mole03 Ransomware by luring users to download a file named 'Font_Chrome.exe,' which is supposed to include the "HoeflerText font." The 'Google Chrome Fatal Error!' pop-up messages designed by ElTest are known to be delivered via scripts on compromised pages and suggest users that they are infected with the Zeus Banking Trojan and RDN/YahLover.worm!055BCCAC9FEC. The group is known to use tools like the RIG Exploit Kit and the Angler Exploit Kit to present users with misleading content.

• Example 1: Message at clinicalpsychology.psiedu.ubbcluj[.]ro:

'The "HoeflerText" font wasn't found.
The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font.
To fix the error and display the text, you have to update "Chrome Font Pack".
Manufacturer: Google Inc. All Rights Reserved
Current version: Chrome Font pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21
[Update|button]'

• Example 2: Message at securityfalse[.]ga/?number-877-804-5390:

'Suspicious activity detected on your IP address due to harmful virus
installed on your computer. Call Toll-Free now 877-804-5390 - Error code: m
for any assistance...
Press ESC to Exit.
Error code: m
Please call 877-804-5390 for immediate assistance. OK'

The ElTest malware distribution campaign is quite extensive, and it employs dozens of IP addresses to circumvent Web filters and security shields. Browsers like Google Chrome and Mozilla Firefox have joined efforts with AV companies to block access to known infection sources. If you attempt to load a compromised page related to the 'Google Chrome Fatal Error!' pop-ups and the "HoeflerText" font wasn't found' notifications, the following detection names may be found in the security report:

• HEUR:Trojan.Script.Generic
• HTML.Trojan.FakeAlert.O
• Suspicious_GEN.F47V0724
• Trojan.Script

Computer security researchers recommend users incorporate multiple protection mechanisms that complement each other and make for a solid cyber defense. We have seen the ElTest campaign take advantage of the 162.244.35.35 and the 162.244.35.36 IP addresses. As mentioned above, there are possibly hundreds of IP addresses that are being in active use to distribute phishing pages and expose users to threats. The list below is incomplete, and you should incorporate a credible security software to stay regularly updated:

• advancedefender1[.]gq
• avassupportcenter1[.]tk
• borudilioprob[.]ga
• clientareasecurity3[.]gq
• connectionproblem[.]gq
• defendersolution3[.]gq
• diubodevisci[.]gq
• helpcentersupport[.]tk
• malawaredefender5[.]cf
• mastermaster[.]cf
• newcastaea[.]top
• nod32supportteam[.]gq
• tioglutinorzan[.]cf
• verifyingaweb[.]top
• warningattack4[.]gq