Cybercriminals Hide Malware Commands in Malicious Memes


Security / InfoSecIsland 24 Views 0

Development Micro security researchers have discovered a new piece of malware that receives commands by way of malicious memes its operators revealed on Twitter.&

The tactic used to hide malicious instructions is known as& steganographyand has long been abused by cybercriminals to cover malicious payloads inside information so as to evade security solutions. Several years ago, security researchers observed the method being abused in& exploit kitand& malvertising campaigns.

Using social media platforms akin to Twitter to ship instructions to malware isn’t new both. Malware that abuses such providers& has been aroundfor a number of years.&

As part of the newly& analyzedassault, the actor revealed two memes (photographs which are humorous in nature) containing malicious instructions on their Twitter account. The memes have been revealed in late October, however the account had been created last yr.&

The embedded command is parsed by the malware after the malicious meme is downloaded onto the sufferer’s machine. Detected as& TROJAN.MSIL.BERBOMTHUM.AA, the malware itself wasn’t downloaded from Twitter, however managed to infect the victim’s machine by way of an unknown mechanism.

The memes contained the “/print” command, which instructs the malware to take screenshots of the contaminated machine’s desktop. The malware then sends the screenshots to a command and control (C&C) server tackle that it had obtained via a hard-coded URL on

Once executed on an contaminated machine, the malware can obtain memes to extract after which execute the instructions embedded inside. The URL tackle used within the attack is an inner or personal IP handle, which the security researchers consider is a short lived placeholder utilized by the attackers.

Based mostly on the commands acquired by way of Twitter, the malware might capture the display, retrieve an inventory of operating processes, capture clipboard content material, retrieve the username from infected machine, or retrieve filenames from a predefined path (similar to desktop, %AppData% and so on.), the security researchers reveal.&

Twitter has already suspended the account utilized in these attacks.&

“Users and businesses can contemplate adopting security options that can shield techniques from numerous threats, reminiscent of malware that communicate with benign-looking photographs, via a cross-generational mix of menace defense methods,” Development Micro concludes.&

Associated:& Sundown Exploit Kit Starts Using Steganography

Associated:& Android Botnet Uses Twitter for Receiving Commands

Copyright 2010 Respective Writer at Infosec Island