Warning! The Nemucod downloader uses the SVG format to spread on Facebook Messenger
A blackmail software spread through the downloader, special note that it can bypass Facebook defensive measures, disguised as a harmless image file.
This malware found by two researchers named Bart Blaze and Peter Kruse.
“Earlier today, a friend of mine told me a strange thing about its Facebook account; a message that contained only one image (actually a .svg file) was automatically sent, and it effectively bypassed Facebook’s File extension filter “.
An SVG image file can be used by the attacker as a container that can contain malicious code, such as a Java script.
In May 2015, researchers at AppRiver Security discovered a malicious activity that distributed extortion software using SVG files.
SVG (Scalable Vector Graphics) is an XML-based vector image format used to support animated and interactive 2D graphics. SVG images contain the definition of XML text behavior, which allows SVG images to be searched, indexed, scripted and compressed. Although SVG images can be created and edited with any text editor, the more common use of SVG is to create software to describe image details directly.
AppRiver malware that the attacker is using the SVG file contains a small piece of java script code, which allows them to redirect the victim to the site used to serve Cryptowall malware.
“These SVG files contain a small piece of java script code that opens a web page and downloads malware,” AppRiver researchers wrote in a blog post. “The IP link is problematic, and it goes to another domain to download the zip file. The zip file actually contains the payload exe, but it can not be executed automatically and still requires user interaction.”
The new attack technique is based on the download using a malicious program called Nemucod, which uses. Svg file on Facebook Messenger spread, this incident has been confirmed by Peter Kruse on Twitter.
When a victim accesses a malicious SVG file, it will be redirected to a site that looks like YouTube, but once the page loads, the victim will be asked to install a codec to play the displayed page.
If the victim installs the Chrome extension as instructed on the page, the attack uses Facebook Messenger for the next spread. Experts observed that sometimes malicious Chrome extension installation Nemucod download program will trigger a blackmail software attack.
Experts warned that there may be several malware variants, such as Locky Ransomware, maliciously spread.
If you’re infected, remove the malicious extension from your browser.