Hidden Code in Memes Instruct Malware via Twitter

Analysts discover malicious code embedded in tweeted images.

Remember when memes were little more than satirical images overlaid with text? Not anymore. Researchers have identified a new type of malware that receives instructions via hidden code embedded in memes posted to Twitter.

According to researchers, the meme-driven malware is nothing more than a simple remote access trojan (RAT) instructed in a novel way. The first step in the attack is infecting a targeted PC with the RAT – identified as TROJAN.MSIL.BERBOMTHUM.AA. Next, the malware listens for commands from a single Twitter account (created in 2017) and controlled by the malware operator.

“The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine,” wrote researchers with Trend Micro that discovered the malware and publicly disclosed its findings on Friday.

According to Trend Micro, Twitter disabled the account in question on Dec. 13, 2018. In total, only two malicious tweets were observed by researchers and they were posted to Twitter on Oct. 25 and 26.

The use of Twitter as a means to spread malicious code is nothing new. For nearly a decade, cybercriminals have been using Twitter accounts to spread links containing malicious code and botnet commands.

“This new threat is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled,” wrote researchers.

What’s interesting about this RAT is its use of steganography to send commands to the malware program, and its use of Twitter as a sort of smoke screen to communicate with its malicious servers, undetected.

Researchers said meme images are posted to Twitter where the “malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern:¬† “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.”

RAT uses Twitter images to instruct malicious behavior

A screen capture of the malicious Twitter account

The code itself contained “/print” commands which instructed the malware to capture screenshots of the affected computer. “The screenshots are sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com,” researchers wrote.

Though only two tweets were found to contain infected memes, the analysts warned that the images¬† included five executable commands, such as “/clip” to see text copied to a user’s clipboard, or “/processes” to find out what programs are actively running on the user’s computer.

Steganography is a technique that hides code within image files, and is a form of attack not unique to Twitter. For years, cybercriminals have embedded malicious code in image files, often distributed in email malspam campaigns. However, this is the first instance to date that’s solely utilized memes, which are viral by nature.

There is evidence researchers were able to nip this attack in the bud, before the memes were able to spread – and the malware along with them. According to an analysis of the malware using VirusTotal the malware first appear in October, around the same time that the target Pastebin post was created.

Still unknown is the identify the hackers including their intentions. However, researchers note there are some indications that this may have been an experiment. The “paste” pointed to a local address, suggesting that the attacker or attackers were merely testing the idea.

Researchers stress that none of the tweets could have caused an infection alone. Instead, they were only a conduit to activate already-infected machines.

Suggested articles

Discussion

  • Tricus on

    This is actually pretty cool. I've also been playing around with this specific idea. Quite dope.
  • Virt on

    Why are people making image viewers capable of executing code contained in metadata in the first place?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.