Attackers Connect with Malware via Malicious Memes

Written by

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro.

Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection. The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.  

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled. Twitter has already taken the account offline as of December 13, 2018,” the blog said.

In late October, the malware authors posted malicious memes in two separate tweets. Using a Twitter account run by the malware operator, the malware listens for a command embedded in the memes. Once downloaded from the Twitter account onto the victim’s machine, the malware parses in order to act as the command-and-control (C&C) service for the malware, according to Zahravi.

“This isn’t the first occurrence of malware using popular websites to obscure command-and-control features. Most organizations will allow popular websites through their firewalls, so malware communicating with these sites can blend in with a large pipe of network data,” said Travis Smith, principal security researcher at Tripwire. “A slight uptick in a few bytes of data to Twitter is less of an anomaly than a few bytes of data going to an unknown IP address for the first time.

“What’s unique here is the use of steganography to obscure the commands even further. This tells me the authors of this malware are concerned more about folks scanning websites like Twitter or PasteBin for typical command-and-control or other malware functions in the text of those services. By using images, a typical scanning engine ingesting text would be blind to this type of obfuscation.”

What’s hot on Infosecurity Magazine?