Pierluigi Paganini
November 21, 2016
The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.
The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.
“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.
The SVG image file could be used by attackers as a sort of container that can include a malicious code such as a Java Script.
In May 2015, researchers at the AppRiver security firm discovered a malicious campaign that was distributing a strain of ransomware by exploiting SVG files.
The SVG (Scalable Vector Graphics) is an XML-based vector image format for two-dimensional graphics with support for animation and interactivity. The SVG images include the definition of their behaviors in XML text files, this feature makes possible SVG image can be searched, indexed, scripted, and compressed. Despite SVG images can be created and edited with any text editor, more often they are created directly with a software that elaborates the images.
The experts at AppRiver noticed that threat actors in the wild were exploiting a small JavaScript entry contained in the SVG files that allow them to redirect victims to a website used to serve the Cryptowall malware.
“These SVG files however contained a small javascript entry that would open a webpage to download some malware.” AppRiver researchers said in a blog post. “The IP link in question ends up forwarding to another domain where a zip is downloaded of the actual exe payload. It didn’t auto execute, user interaction would still be needed for that. “
Back to the present, the new attack leverages a downloader called Nemucod that is spread via Facebook Messenger as a .svg file, as confirmed by Peter Kruse via Twitter.
Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist. https://t.co/WYRE6BlXIF pic.twitter.com/jgKs29zcaG
— peterkruse (@peterkruse) 20 novembre 2016
When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.
“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.
If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.
The experts warn of several variants of the attack and likely several malicious extensions used to spread malware like the Locky Ransomware.
“Currently, I’m not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.” Blaze added in the post.
If you get infected remove asap the malicious extension from your browser.
[adrotate banner=”9″]
(Security Affairs – Locky Ransomware, SVG images)
