The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.
If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.
Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.
If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.
There are a lot of moving parts to delivering Locky in this manner. In addition, anecdotally anyhow, I believe most people use Facebook Messenger on their mobile devices rather than via the web so I wonder about the effectiveness of this attack. Unfortunately, there are a lot of folks who do not pay close enough attention and will allow the codec to install without nary a second thought, and thus allow this exploit to succeed.