Beware of ongoing Facebook spam campaign is spreading Malware and Ransomware
An ongoing Facebook spam campaign is spreading malware downloader among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.
If clicked, the file would eventually infect your PC with the nasty Locky Ransomware, a family of malware that has quickly become one of the favorite tools among criminals due to its infecting capabilities.
Discovered by malware researcher Bart Blaze, the attack campaign uses Facebook Messenger to spread a malware downloader called Nemucod that takes the form of .SVG image files.
Why SVG file? Hackers considered SVG (or Scalable Vector Graphics) files for spreading the malware downloader, because SVG has the ability to contain embedded content such as JavaScript, and can be opened in a modern web browser.
Crooks added their malicious JavaScript code right inside the image file itself, which was actually a link to an external file.
If clicked, the malicious image file would redirect you to a website mimicking YouTube, but with completely different URL.
Like a typical way to deliver malware infection, the site would push a popup, asking you to download and install a certain codec extension in Google Chrome in order to view the video. The malicious extension used two names, Ubo and One.
Once installed, the extension gives the attackers ability to alter your data regarding websites they visit, as well as takes advantage of browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.
That the SVG image file containing the Nemucod downloader, in some cases, then ultimately downloads a copy of Locky ransomware on victim's PC.
Locky ransomware is one of the most popular ransomware that locks all files on a victim's computer with RSA-2048 and AES-1024 encryption algorithms and unlocks them until the ransom is paid to attackers.
If you are one of those who had been tricked into installing one of the two malicious extensions, you can remove it immediately.
To remove the offending extension, just go to Menu → More Tools → Extensions and check for the extension and remove it.
If clicked, the file would eventually infect your PC with the nasty Locky Ransomware, a family of malware that has quickly become one of the favorite tools among criminals due to its infecting capabilities.
Discovered by malware researcher Bart Blaze, the attack campaign uses Facebook Messenger to spread a malware downloader called Nemucod that takes the form of .SVG image files.
Why SVG file? Hackers considered SVG (or Scalable Vector Graphics) files for spreading the malware downloader, because SVG has the ability to contain embedded content such as JavaScript, and can be opened in a modern web browser.
Crooks added their malicious JavaScript code right inside the image file itself, which was actually a link to an external file.
If clicked, the malicious image file would redirect you to a website mimicking YouTube, but with completely different URL.
Like a typical way to deliver malware infection, the site would push a popup, asking you to download and install a certain codec extension in Google Chrome in order to view the video. The malicious extension used two names, Ubo and One.
Once installed, the extension gives the attackers ability to alter your data regarding websites they visit, as well as takes advantage of browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.
That the SVG image file containing the Nemucod downloader, in some cases, then ultimately downloads a copy of Locky ransomware on victim's PC.
Locky ransomware is one of the most popular ransomware that locks all files on a victim's computer with RSA-2048 and AES-1024 encryption algorithms and unlocks them until the ransom is paid to attackers.
If you are one of those who had been tricked into installing one of the two malicious extensions, you can remove it immediately.
To remove the offending extension, just go to Menu → More Tools → Extensions and check for the extension and remove it.
No comments
Post a Comment