Cybercriminals Hide Malware Commands in Malicious Memes

InfoSecIsland

Security / InfoSecIsland 35 Views 0

Development Micro security researchers have found a brand new piece of malware that receives instructions by way of malicious memes its operators revealed on Twitter.&

The tactic used to hide malicious commands is known as& steganographyand has lengthy been abused by cybercriminals to hide malicious payloads inside information with a view to evade security options. Several years ago, security researchers noticed the method being abused in& exploit kitand& malvertising campaigns.

Using social media platforms comparable to Twitter to send commands to malware isn’t new either. Malware that abuses such providers& has been aroundfor a number of years.&

As part of the newly& analyzedassault, the actor revealed two memes (pictures which might be humorous in nature) containing malicious instructions on their Twitter account. The memes have been revealed in late October, but the account had been created last yr.&

The embedded command is parsed by the malware after the malicious meme is downloaded onto the victim’s machine. Detected as& TROJAN.MSIL.BERBOMTHUM.AA, the malware itself wasn’t downloaded from Twitter, but managed to infect the sufferer’s machine by way of an unknown mechanism.

The memes contained the “/print” command, which instructs the malware to take screenshots of the contaminated machine’s desktop. The malware then sends the screenshots to a command and control (C&C) server tackle that it had obtained by means of a hard-coded URL on pastebin.com.

As soon as executed on an infected machine, the malware can download memes to extract after which execute the instructions embedded inside. The URL handle used within the attack is an inner or personal IP tackle, which the security researchers consider is a short lived placeholder utilized by the attackers.

Based mostly on the instructions acquired by way of Twitter, the malware might seize the display, retrieve an inventory of operating processes, seize clipboard content material, retrieve the username from infected machine, or retrieve filenames from a predefined path (akin to desktop, %AppData% and so forth.), the security researchers reveal.&

Twitter has already suspended the account utilized in these attacks.&

“Users and businesses can think about adopting safety solutions that may shield methods from numerous threats, corresponding to malware that communicate with benign-looking photographs, by way of a cross-generational blend of menace defense methods,” Development Micro concludes.&

Related:& Sundown Exploit Kit Starts Using Steganography

Associated:& Android Botnet Uses Twitter for Receiving Commands

Copyright 2010 Respective Writer at Infosec Island

Comments