An ongoing Facebook spam campaign is spreading the Nemucod malware downloader among users, which in some cases was seen downloading the Locky ransomware at later stages.

Security researchers Bart Blaze and Peter Kruse spotted the campaign over the weekend in the form of spam messages spread via Facebook's IM system.

Spammers were passing around an SVG image, which is a relatively new image format that is used today for saving vector images.

Facebook SVG spam message
Facebook SVG spam message (via Bart Blaze)

The reason the crooks choose to share SVG images is because SVG is XML-based and allows dynamic content. Crooks had added malicious JavaScript code right inside the photo itself, which in this case was a link to an external file.

SVG image source code
SVG image source code (via Bart Blaze)

Users clicking on the image would find themselves on a website mimicking YouTube. The website would push a popup, telling users they had to install an extension to view a video.

Fake YouTube website pushing Chrome extension
Fake YouTube website pushing Chrome extension (via Bart Blaze)

"The extension has no icon and thus seems invisible," security Bart Blaze noticed, also pointing out that alarm bells should be ringing for any user that finds himself on such a website.

Malicious Chrome extension
Malicious Chrome extension (via Bart Blaze)

This extension is most likely the method through which the spam spreads. The extension takes advantage of your browser's access to your Facebook account to secretly mass-message your friends with the same SVG image file.

Malicious Chrome extension was downloading Nemucod

Furthermore, Blaze says that the extension also downloads Nemucod, which is a generic malware downloader generally used to fetch and install other threats.

On the same day, Peter Kruse, founder of CSIS Security Group, said on Twitter that he detected the same campaign and saw Nemucod download Locky payloads.

Blaze and Kruse said the malicious Chrome extension used two names, Ubo and One. The researchers alerted both the Facebook and Google Chrome teams.