Researchers have discovered a new hacking campaign leveraging on Facebook Messenger to spread the Locky ransomware via SVG images.
The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.
The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.
“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.
The SVG image file could be used by attackers as a sort of container that can include a malicious code such as a Java Script.
In May 2015, researchers at the AppRiver security firm discovered a malicious campaign that was distributing a strain of ransomware by exploiting SVG files.
The SVG (Scalable Vector Graphics) is an XML-based vector image format for two-dimensional graphics with support for animation and interactivity. The SVG images include the definition of their behaviors in XML text files, this feature makes possible SVG image can be searched, indexed, scripted, and compressed. Despite SVG images can be created and edited with any text editor, more often they are created directly with a software that elaborates the images.
Back to the present, the new attack leverages a downloader called Nemucod that is spread via Facebook Messenger as a .svg file, as confirmed by Peter Kruse via Twitter.
When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.
“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.
If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.
The experts warn of several variants of the attack and likely several malicious extensions used to spread malware like the Locky Ransomware.
“Currently, I’m not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.” Blaze added in the post.