Worm spreading malware via Facebook using SVG, JavaScript and Google Chrome Extension
In November it was revealed that malware is being spread using SVG and it's capability of containing executable JavaScript code within it. The specific attack has been used widely on Facebook chat and is used as a method to get users to download even more dangerous ransomware.
Facebook has a strong track record of preventing malicious code spreading and JavaScript, but the novel method is able to circumvent the protections.
The primary target of the initial attack is to get the user to download the Nemucod malware, which extorts users for money after encrypting their computer:
Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist. https://t.co/WYRE6BlXIF pic.twitter.com/jgKs29zcaG
— peterkruse (@peterkruse) November 20, 2016
Currently this the above activity is what the infected browsers (Chrome) are done, but since the malware is dynamic it can in the future be changed to perform other activities.
The malware can alledgedly download code from the creators server and also listen to Chrome network traffic and modify it. This allows capturing Facebook session and other sessions used in the browser.
Users infected with the Chrome extensions should remove the Chrome extension. Initially only Windows users are being attacked, but infected macOS and Linux computers can be attacked and abused in the future:
Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.
- Nemucod downloader spreading via Facebook
In the past web browsers in have been very secure by default and remarkably resistant to exploits with their sandboxed security model. With the consistently increasing complexity of applications written in JavaScript, the likelyhood of exploits targeting JavaScript and browsers is bound to grow.
With access to web workers and other modern techniques, they are a tempting target nowadays. Not to mention all the access to users private sessions and more in case there is a deeper vulnerability in one of the major browsers.
Read more:
- I received a suspicious SVG file via Facebook message. What does it do?
- Facebook SVG file transfering
- Researchers discover that Facebook Messenger is used to spread ransomware via SVG images