Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does Nemucod malware get spread through Facebook Messenger?

The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available protections against this attack.

Researchers discovered an attack that uses Facebook Messenger to spread Locky ransomware through a Nemucod downloader...

disguised as an image file. Does Facebook Messenger have any type of antimalware protection in place? Are these types of messaging services common vectors for ransomware attacks?

Writers of malware find the most ingenious ways to get onto an endpoint. It seems that any way to transfer a file or data may also be abused to deliver malware or malicious code.

Some users might assume that most files are safe from malware, but this trust is misplaced -- antiphishing training has instilled the importance of not opening potentially malicious attachments from email. This same cautious behavior needs to be applied to any file, but this creates inconvenience for end users.

A recent example of this is the discovery of the Nemucod downloader malware being spread via Facebook Messenger as an image file. The image, a Scalable Vector Graphics (SVG) file, is XML-based, and it allows for embedded JavaScript.

Clicking on the image takes the user to a website mimicking YouTube, where the user will be prompted to download a browser extension to view a video. This malicious extension may install the Nemucod downloader, which, in turn, downloads Locky ransomware. Nemucod may also use the browser's access to the user's Facebook account to send other messages containing the SVG file.

Enterprises have implemented protections on endpoints because they know there is a significant likelihood someone will accidently open a malicious file masquerading as a harmless image file. Consequently, many enterprises have standards for checking every file for malware, regardless of how it is transmitted or saved on a system. Software developers or service operators shouldn't assume that all endpoints will have antimalware protections, and should provide functionality preventing malware or malicious code from being transmitted.

Facebook partners with several antimalware vendors to encourage users to install antimalware tools, and it also has functionality built into its platform to check URLs to determine if they are malicious or spreading spam. Facebook also has a file extension filter to prevent malicious files from being transmitted through its service.

Facebook issued a response to this threat, saying it has blocked malicious files, like the Nemucod downloader, and that the Locky ransomware infections were likely associated with bad browser extensions. 

Next Steps

Find out how the changes in Locky ransomware affect enterprise protections

Learn how attackers can use an Instagram application as command-and-control infrastructure

Read case studies on data recovery after a ransomware attack

This was last published in April 2017

Dig Deeper on Social media security risks

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your enterprise's policy on downloading files sent over messaging services?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close