Malicious images on Facebook lead to Locky Ransomware

Images sent via Facebook Messenger lead to Ransomware or Nemucod downloader

facebook logo large

Researchers have discovered an attack that uses Facebook Messenger to spread Locky, a family of malware that has quickly become a favorite among criminals.

The Ransomware is delivered via a downloader, which is able to bypass whitelisting on Facebook by pretending to be an image file.

The attack was discovered on Sunday by malware researcher Bart Blaze, and confirmed later in the day by Peter Kruse, another researcher that specializes in internet-based crime and malware.

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.

The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded.

If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.

Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.

If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.

The attack seems to have variations, so it isn’t clear if there is more to it than rogue extensions and downloaded Ransomware.

“As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave,” Blaze wrote in a blog post.

Both Google and Facebook have been made aware of the attacks. Salted Hash has reached out to Facebook for comment, we'll update this story should they respond.

A breakdown of the artifacts collected by Blaze can be found online.

Update:

A Facebook spokesperson sent the following - "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."

As mentioned, Kruse discovered that Locky was in fact being delivered as one of the possible payloads form Nemucod.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.