The .svg files sent to users got around Facebook’s file extension filter. Because .svg is a relatively new file format, hackers have room to experiment with it against existing filtering systems. Also, reports Bleeping Computer, since it is “XML-based and allows dynamic content,” it is popular for delivering the malicious JavaScript code embedded right inside the image.
The image leads to a fake YouTube item, which demands you add a codec to view the video on Chrome. Security researcher Bart Blaze, who discovered the ransomware, found that the extension to execute this, “One,” gives itself permission to “read and change all your data on the websites you visit.” He wrote that he was, “not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.” In his case, this included the popular Nemucod malware downloader.
Another security researcher, Peter Kruse, reported that one possible payload was the Locky ransomware. Facebook told Threat Post, though, that, “We determined that these were not in fact installing Locky malware.”
Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist. https://t.co/WYRE6BlXIF pic.twitter.com/jgKs29zcaG — peterkruse (@peterkruse) November 20, 2016
Anyone who encounters the suspicious .svg files should, per Threat Post and Blaze, disable JavaScript in their browser, block Wscript, or set any files with the extensions .svg, .js, and .jse to open only in Notepad — the latter technique defeats the code’s ability to execute itself in your browser when you click on the image.
And, as always, avoid clicking on unsolicited messages in either Facebook Messenger, your email client, or in your SMS as was the case a few days ago with a fake Apple ID phishing attacks through text messages.
Locked Out
At a minimum, this .svg trick stole users’ credentials on the social media platform to propagate itself through their contact lists. At worst, it is installing malware downloaders, with these then potentially acting as vectors for advanced ransomware like Locky that infects and locks people out of their computers.
Ransomware does exactly what its name says. When a user downloads the malicious program, it locks them out of their files and system by encrypting the content, and then notifying users that the only way to recover their desktop is by paying the hackers for a solution. A Turkey-based phishing simulator, Sinara Labs, noted in a report published last month that ransomware is increasingly able to “circumvent intuitive and behavior-based automated analysis mechanisms.”
This would appear to be the case with the .svg files coming through Facebook, which is now filtering the content and conducting its own investigation.
According to nakedsecurity, Locky demands users to pay $200-400 (in bitcoin) and usually distributes itself through corrupted Office documents attached to emails that demand the recipient download the file and enable Macros to ready. It also uses other false pretenses, like fake online orders, phony advertisements, and pretend “official” notifications.
Healthcare Insurance themed SPAM emails are delivering #LOCKY #Ransomware with another new param “woody” #threatintel pic.twitter.com/JpKPNzC77L — abhie (@abhie) November 7, 2016
Whenever a user follows the instructions to open the files, it does not actually make the contents readable. Instead, it runs the code for a Trojan, Troj/Ransom-CGX, that then downloads Locky itself.
According to Tom’s Guide, Locky’s encryption has still not been cracked, so anyone hit by it is in serious trouble.
Locky is a very comprehensive attack, as, “It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers,” regardless of the OS you and they are using.
There are other named extensions as well besides “One,” whose exact functions are unclear, but probably also enable malware downloaders. Google is also now blocking all of these extensions from its app store.
© 2016 Geektime
syndicated under contract with NewsEdge. -.
