Attackers are using social media to spread malware. Security researchers at Trend Micro found malware embedded in memes posted on Twitter. This new type of Trojan exploits memes sent on Twitter by using stenography to hide malicious instructions in the images.
Stenography is a technique used to hide information in plain sight. In this scenario, attackers used stenography to hide malware inside images or memes. Researchers found two tweets posted on October 25 and 26 containing malicious instructions. The Twitter account created in 2017, was not being used until two months ago and has since been taken down by Twitter.
Using social media to spread malware is nothing new. Twitter has been used to spread malicious links for several years. However, this is the first-time memes have been used to spread malware. The use of memes, steganography and social media can be a dangerous combination. Memes spread very quickly and using steganography makes it more difficult to discover the malware.
Researchers at Trend Micro said:
“the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled”
Cybercriminals are using a simple remote access Trojans (RAT) to infect Windows machines. This variant called, TROJAN.MSIL.BERBOMTHUM.AA, executes when the malicious memes are downloaded from the Twitter account and begins to receive command-and-control instructions or C&C services. Once downloaded, a “/print” command is executed, which takes screenshots of the infected computer. The screenshot is then sent to a C&C server whose hard-coded URL is obtained from pastebin.com. Further, the information is sent to the attacker by uploading the information to a specific internal or private IP address. This URL is most likely a temporary location.
Although the both the tweets were using “/print” commands, the malware can also execute four other commands: “/processos” obtains list of all processes running on the machine, “/clip” captures the clipboard, “/username” obtains the username on the machine, and “/docs” obtains filenames.
There are indications that this attack was an experiment by cybercriminals because the “/paste” command pointed to a local address. The attackers’ intentions are unknown; however, it looks like they may be getting ready for something bigger.
If you believe your organization has been hit with a malware contact LIFARS immediately.