Bart Blaze, a security researcher, has discovered a new strain of malware that takes the form of .SVG image files, which are being automatically sent from compromised accounts of Facebook users.
Unlike other common file types, the .SVG image files have the ability to contain embedded content like JavaScript, and can be opened in a modern browser. In this particular case, the script in the image redirects users to a site posing as YouTube that says that in order to view the video, the user must install a certain codec extension in Google Chrome, a very typical modus of malware creators.
The plugin in question (for Google Chrome) will give it the capability to make changes to the users’ data on the websites they visit, i.e. the tool that sends out the message with the SVG file to other users. The extension will also spread the malware further on Facebook, compromising the victim’s account, according to Blaze.
However, Peter Kruse, a colleague of Blaze and eCrime specialist, further noted that the SVG file does not always redirect users to the malicious Chrome extension. For instance in another case, the image file contained the Nemucod downloader, which then downloaded a copy of Locky ransomware on the victims’ machine.
While it is unknown how the SVG files managed to bypass Facebook’s file extension filter, Facebook’s security team has been reportedly notified of the exploit, and will hopefully soon block it completely. The malicious Chrome extension has also been removed by Google from its Chrome Store.
“As always, be wary when someone sends you just an ‘image’ – especially when it is not how he or she would usually behave,” Blaze advises.
If you have been fooled into installing the extension, remove it by going to Menu > More Tools > Extensions. Once done, check your computer for additional malware. If are unlucky and have ended up with Locky, an up-to-date backup is your best bet for restoring your files.
