New methods of Ransomware spread have emerged as researchers have discovered the use of Facebook messenger to spread the Locky Ransomware. A type of ransomware that has this year marked itself as a favorite among hackers looking to cash in on your loss. What would normally be automatically filtered from Facebook, hackers have worked out a way to hide malicious software by pretending to be an image.
The Locky Ransomware attack was discovered on Sunday by malware researcher Bart Blaze. It was further confirmed by internet based crime specialist peter Kruz later that day.
The hacker has found a way to leverage a downloader called ‘Nemucod’ within a Google Chrome Extension. This is being reached initially from a link within a .svg file being sent via Facebook messenger. Because the image is in SVG (Scaleable Vector Image) it is XML-base and therefore can have any type of content embedded in it for example a JavaScript. In this instance, JavaScript is what was used.
Once clicked, the image will direct the user to a website that appears to be YouTube. Upon loading, the user is alerted that you do not have the correct codec to play this video and gives them option to download the ‘required’ codec Google Chrome extension.
If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky. The attack seems to have variations, so it isn’t clear if there is more to it than rogue extensions and downloaded Ransomware.
As Bart Blaze has mentioned “As always, be wary when someone sends you just an ‘image’ – especially when it is not how he or she would usually behave,” A breakdown of the artifacts collected by Blaze can be found online.
Both Google and Facebook have been made aware of the attacks. As a result a Facebook spokesperson has said that
“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky Ransomware but rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”
As mentioned, Kruse discovered that Locky was in fact being delivered as one of the possible payloads form Nemucod.
