Posted on December 18, 2018 at 3:46 PM
Twitter Memes Used for Hiding Malware Instructions in Plain Sight
According to a recent report made by Trend Micro researchers, there is a new type of malware circulating on the web. Researchers claim that the malware is rather underwhelming, although it does have one unique feature — it can take its instructions from codes hidden within Twitter memes.
The malware is said to be a primitive form of RAT (Remote Access Trojan). It quietly infects a flawed computer, it pulls data from the system, and it takes screenshots. Afterward, it sends the stolen data to the C&C server, where it can be inspected by its creator.
This is nothing a new and revolutionary behavior for malware, and as many have confirmed already, it is a very basic type of behavior. However, its connection to Twitter and dependence on the code hidden in memes is what makes this malware stand out.
How does it work?
According to their recent blog post, Trend Micro researchers believe that the commands are being posted on Twitter by the malware operator. There are at least two tweets disguised as memes, which are actually commands printed upon meme images. The commands are also very simple, and they instruct the malware to take screenshots of the infected device.
After completing the job, the malware uses a Pastebin post to obtain the location of a C&C server, where the stolen data should be sent to. Again, while the behavior of the malware itself is nothing new and groundbreaking, it is certainly creative.
Researchers also included the tweets themselves in their report, stating that they could have easily included additional commands. For example, the command given to the malware was “/print”, but others such as “/processos” might retrieve the list of processes and apps running on the infected device, while the command “/clip” can steal clipboard content. Another command is “/docs”, which is an instruction that orders the malware to retrieve filenames, and alike.
Malware’s purpose and origins remain unknown
The malware has been around for several months now, and researchers managed to trace it back to mid-October. This was when the Pastebin post was originally created, according to a hash analysis by VirusTotal.
However, despite the apparent simplicity of the malware, researchers admit they do not yet have all the answers. Questions such as how the malware infects devices, who is responsible for it, or even where it came from still remain unanswered. Researchers do not even know its real purpose. Is it just a simple malware, created out of boredom, or is it a test for something greater to come?
Another confusing thing is the fact that the Pastebin points to a local, non-internet address. According to them, this might be a proof-of-concept for new attacks, planned for the future.
It is also interesting to see how a big social media website such as Twitter can be used for establishing a communication with the malware. Researchers have confirmed that Twitter itself does not host malicious content and that malware infection cannot come from command-carrying tweets.
One possible explanation for malware’s connection to Twitter is that anti-malware software might avoid flagging or blocking “twitter.com” if it discovered that the malware is connected to it. After all, Twitter is a well-known, trusted social network, not a shady server.
Twitter was also quick to react, and the account carrying malware commands was permanently suspended after being pointed out by the researchers. While the incident is interesting, it is also not the first time that Twitter’s platform was used for malware and botnet operators’ communication. One of the earliest incidents of this kind was in 2009, nearly a decade ago, when Twitter was used for commanding a botnet.
Another incident from 2016 has seen Twitter being used for communicating with Android-based malware, which also used the social network to receive commands.