The campaign spreads the Nemucod downloader

If you receive any Facebook Message with an .SVG image file, just avoid clicking it: a malicious campaign is spreading a ransomware downloader (Nemucod) among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.

The campaign was discovered by malware researchers Bart Blazen and Peter Kruse, and seems to be an evolution of the threat notified some months ago by AppRiver.

On his blog, Blazen writes:

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter

Why SVG file?

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.
This means that this file format has the ability to contain embedded content such as JavaScript, and can be opened in any modern web browser.

In fact, the content of the ‘photo’ (here the analysis of a sample) is the following:


an obfuscated javascript that starts the download of payload (the Locky ransomware) and opens a fake Youtube site that ask the user to download and install a browser extension required to see the videos:

If the victim installs the Chrome extension, the attack is spread further via Facebook Messenger to all user contacts.

I opened the link and installed the extension, how can I fix it?

from Bart Blazen’s post:

Remove the malicious extension from your browser immediately:

Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.