Malware masquerading as an image spreads via Facebook

Malware spreading via Facebook has become a rare occurrence, but it does still occasionally crop up.

The latest instance has been noticed by malware researcher Bart Blaze, and takes the form of image files (.svg files, to be exact) that are being automatically sent from compromised user accounts:

SVG files are image files that can have embedded in them content such as JavaScript, and can be opened by browsers. In this particular case, the script in the image redirects users to a site posing as YouTube that says that in order to view the video, the user must install a specific codec extension.

The plugin in question (for Google Chrome) can change users’ data on the websites they visit, i.e. it’s the tool that sends out the message with the SVG file to other users.

Whether it is also capable of downloading other malware is currently unclear, but eCrime specialist Peter Kruse says that the SVG file does not always redirect users to the malicious Chrome extension.

His research showed that, in other instances, the file contains the Nemucod downloader, which ultimately downloads the Locky ransomware on the victims’ machine.

How the SVG files managed to bypass Facebook’s file whitelist is also unknown, but Facebook has been notified of the attack, and will hopefully soon block it entirely. Google has already removed the offending extensions from its Chrome Store.

If you’ve been tricked into installing the extension, remove it by going to Menu > More Tools > Extensions. After that, check your computer for additional malware. If you’ve been unlucky and you’ve ended up with Locky, an up-to-date backup is your best bet for restoring your files.

“As always, be wary when someone sends you just an ‘image’ – especially when it is not how he or she would usually behave,” Blaze advises.

UPDATE: Blaze tells us that the SVG file he analyzed and which pushes users to the fake YouTube video also contains the Nemucod downloader, but hasn’t witnessed it downloading Locky.