November 22, 2016
Update: Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported. A Facebook spokesperson told Threatpost: “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”
The downturn in Locky ransomware infections toward the tail end of the summer was due in large part to successful efforts to halt the spread of the Nemucod downloader. Nemucod was one of the main vehicles delivering the malware to infected computers, usually via .zip email attachments hiding a .wsf extension.
The extension, instead, downloads a payload to the user’s machine. Researcher Peter Kruse of CSIS in Denmark said samples he’s seen are downloading Locky ransomware, though Blaze said he has not seen the ransomware payload.
“Some have reported Locky ransomware, but I have been unable to reproduce that for now,” Blaze told Threatpost. “As for the ones I found, only Chrome extensions were installed. I believe however they serve as a platform to download any additional malware.”
Requests for additional comment from Kruse and Facebook were not returned in time for publication. Kruse did tweet this morning that there are several different payloads, confirming a number of the same Chrome extensions that Blaze wrote about, in addition to others that he said download Locky. Detection on VirusTotal, Kruse said, remains relatively low, with 11 of 55 detecting the threat.
The key is that the SVG file redirecting victims to the download is bypassing Facebook’s filters.
“My guess would simply be they weren’t filtering for this filetype before,” Blaze said. “The exact details are unknown and I doubt Facebook will share them (and I think that’s for the best. we don’t want the cybercriminals to know how their filtering works).”
Once the victim installs the malicious extension, Blaze said, they are redirected back to Facebook.
“So it probably steals your FB credentials as well (hence how it’s able to spread and send the message to all your friends),” Blaze said.
SVG files, or scalable vector graphics, are in an XML format and are used for two-dimensional graphics. The use of the SVG file is also crucial to the campaign’s success given that an attacker could embed almost anything and the browser will open it. Blaze cautions that Facebook users should be wary of messages containing only an image.
“There have been quite a lot of reports about it so it’s definitely successful,” Blaze said. “The approach however is a classic: the lure of a photo (possibly of you) always works. Curiosity killed the cat.”
Blaze said the script is heavily obfuscated and redirects to the phony YouTube page with a dialog box telling the user to download and install another extension in order to see the video.
“This will effectively block the malware from being able to execute,” Blaze said. “From Facebook’s side, this can definitely be fixed as well.”