Malware controlled through commands hidden in memes posted on Twitter

New Malware Takes Commands From Memes Posted On Twitter

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter.

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

Below the list of commands supported by the malware:

Commands	Description
/print	Screen capture
/processos	Retrieve list of running processes
/clip	Capture clipboard content
/username	Retrieve username from infected machine
/docs	Retrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local,

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –malware, memes)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.