Now its official!! DO NOT CLICK ON IMAGES SENT VIA SOCIAL MEDIA MESSAGES!!

There was a time when meme’s became famous all of a sudden!! Do you know the origin of MEME’s?? It all started from hackers (4chan), and now they’ve moved on from making fun via Meme’s to making money via Meme’s! Hacker’s have found a way to install RANSOMWARE on victims PC using Social Media Messaging platforms like Facebook Messenger, LinkedIn.

Now lets get to know whats happening?

There are few things that needs to be understood:

  • Images extensions
  • Trojan Downloaders
  • Ransomwares

The attacker finds a way to trick the victim to click on a image to generate a trigger to download a RANSOMWARE to the victims PC without the users knowledge.This all started on Facebook Messenger with trojan campaigns, at first they started spamming the users with a “lol” message with an attachment of a zip file which contains the file called IMG_XXXX.jar”. when the user clicks on the IMG_XXX.jar file the jar file starts downloading a ransomware on the users computer.

VirusTotal Scan Shows the result:

That was with the trojans. After a while Google, Facebook,Twitter, LinkedIn found a way to remove these malicious links from their platform, but recently Security researchers Bart Blaze & Peter Kruse found that hackers are using “.svg” format of images to trick the user to download a “LOCKY Ransomware” using a Trojan Downloader called “Nemucod”.

WHAT IS LOCKY RANSOMWARE & Nemucod?

Locky Ransomware is one the most affected ransomware in the industry till date to which no antivirus giant is been able to find a decryptor. When it affects the system the whole system is been encrypted with a RSA-2048 and AES-1024 encryption algorithms. The system is totally locked out every file has been renamed with “.locky” extension.

Text presented in the desktop wallpaper and .txt files created by Locky:

!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which ison our secret server.
To receive your private key follow one of the links:
1. hxxp://6dtxxxxm4crv6rr6.tor2web.org/07Bxxx75DC6468052. hxxp://6dtxxxxgqam4crv6rr6.onion.to/07Bxxx75DC6468053. hxxp://6dtxxxxgqam4crv6rr6.onion.cab/07Bxxx75DC6468054. hxxp://6dtxxxxgqam4crv6rr6.onion.link/07Bxxx75DC646805If all ofthis addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 6dtxxxxm4crv6rr6.onion/07Bxxx75DC646805
4. Follow the instructions on the site.
!!! Your personal identification ID: 10DDxx98VBC6652 !!!

What are all the file extensions that will be targeted by this ransomware?

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, 
.fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, 
.tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, 
.png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat,
.class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp,
.php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, 
.SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), 
.sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, 
.uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, 
.otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt,
.xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm,
.docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, 
.stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

How does this work?

As the campaign started through .svg images on facebook as the .svg images allow javascripts to be embedded in them. The hackers embedded a TROJAN DOWNLOADER called Nemucod which gets triggered when the user click on the image and this Trojan downloader downloads LOCKY ransomware on the users PC.

The latest research shows that attackers are now even using popular image extension “.jpg” using boobytrapped .JPG image.

Here is an demonstration:

As this exploit is still in active threat map giants like Facebook & linkedin still remain unpatched. Facebook have said that they’ve been monitoring their platform for malicious files and patches will be done soon.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”

There are even Chrome Extensions which also does the same thing.

RemoveChromeExtns:Menu--> MoreTools--> Extensions--> Delete

TrojanDownloader: TrojanDownloader: JS/Nemucod

Also detected as: Trojan-Downloader.JS.Agent.hdm ("Kaspersky"), 
JS/Downloader ("McAfee"),Troj/JSDldr-AT ("Sophos"), 
JS.Downloader ("Symantec")

Threat behavior
Installation

This threat can create files on your PC, including:
 
%TEMP%\1246549.exe
%TEMP%\2865241.exe
Payload

Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

PWS:Win32/Fareit
Ransom:Win32/Crowti.A
Connects to a remote host

We have seen this threat connect to a remote host, including:
davis1.ru using port 80
Malware can connect to a remote host to do any of the following:
Check for an Internet connection
Download and run files (including updates or other malware)
Report a new infection to its author
Receive configuration or other data
Receive instructions from a malicious hacker
Search for your PC location
Upload information taken from your PC
Validate a digital certificate
We have seen this threat access online content, including:

two.jpg
one.jpg
This malware description was published using automated analysis of file SHA1 6f8db4ab8debc3ae1ae7d8139daa659e97ee3bb4.

What to do to be protected ?

  1. Never click on any images you receive on Social media messages. (Sounds crazy but hold your temptation for some days until patches are released.)
  2. Update your systems AV’s regularly.
  3. Check your chrome, mozilla extensions at weekly once.

Moral of the story: Never get too needy on the internet!