Loading malicious Javascript from a “benign” file isn’t a new thing, but using a Font file is. Spotted a WOFF file with a malicious payload in the wild. As we’ve seen before when using a PNG, the file is requested using a fetch and then the non-Javascript part of the file is sliced away. A link to the code below: https://gist.github.com/krautface/897f077ab5fd64af2ee1a280be5b91de

The code removes the first 44,040 characters and then remaining part is used to create a new Function, which is then executed.

• Obfuscated: https://gist.github.com/krautface/3938cef4fb6311e249ad7a3a975023f6
• Prettified: https://gist.github.com/krautface/a1ae888070ecbe17a4d21d89e367e6d5
• Prettified and partly deobfuscated: https://gist.github.com/krautface/cd336c48ac60510d015845afe8b0f7f4

In the partly deobfuscated code you can start to see what it’s actually doing if you look at Line 630:

Farther down, you can see the exfil URLs and that it supports both standard GET and websockets:

A key thing with this type of technique is that it’s very abnormal to see a fetch request to an image, font, or any other normally binary file. So if you are monitoring sites and you see something like this, it’s worth investigating.

A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1425204207431344132