Spammers using Facebook Messenger to Spread Locky Ransomware

If you came across any Facebook Message with an image file (exactly .SVG file format) send by any of your Facebook friends, just avoid clicking it.

An ongoing Facebook spam campaign is spreading malware downloader among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.

If clicked, the file would eventually infect your PC with the nasty Locky Ransomware, a family of malware that has quickly become one of the favorite tools among criminals due to its infecting capabilities.

Discovered by malware researcher Bart Blaze, the attack campaign uses Facebook Messenger to spread a malware downloader called Nemucod that takes the form of .SVG image files.

Why SVG file? Hackers considered SVG (or Scalable Vector Graphics) files for spreading the malware downloader, because SVG has the ability to contain embedded content such as JavaScript, and can be opened in a modern web browser.

Crooks added their malicious JavaScript code right inside the image file itself, which was actually a link to an external file.

If clicked, the malicious image file would redirect you to a website mimicking YouTube, but with completely different URL.

Like a typical way to deliver malware infection, the site would push a popup, asking you to download and install a certain codec extension in Google Chrome in order to view the video. The malicious extension used two names, Ubo and One.

Once installed, the extension gives the attackers ability to alter your data regarding websites they visit, as well as takes advantage of browser’s access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.

What’s even worse? Peter Kruse, another malware researcher and colleague of Blaze, noted that the SVG image file containing the Nemucod downloader, in some cases, then ultimately downloads a copy of Locky ransomware on victim’s PC.

Locky ransomware is one of the most popular ransomware that locks all files on a victim’s computer with RSA-2048 and AES-1024 encryption algorithms and unlocks them until the ransom is paid to attackers.

It is not clear at this moment how the SVG files managed to bypass Facebook’s file whitelist extension filter, but both Google and Facebook’s security team has already been notified of the attack.

How to Remove the Malicious Extensions?

While Google has already removed the malicious extensions from its Chrome Store, Facebook will hopefully soon block it entirely.

Update: A spokesperson from Facebook provided a statement to The Hacker News, which reads:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”

He also said that the assertion that this malicious Chrome extension was installing the Locky malware is incorrect. Also, the company believes that the impact of the attack on Facebook has been very limited, as it requires an additional step to install software onto victim’s browser or computer.

If you are one of those who had been tricked into installing one of the two malicious extensions, you can remove it immediately.

To remove the offending extension, just go to Menu → More Tools → Extensions and check for the extension and remove it.

However, if you have been unlucky and you would have ended up with the Locky ransomware and the only way for restoring your files is: A regular backup. If not, you are screwed up!

Via: The Hacker News

 

%d bloggers like this: