Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.
The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.
The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter.
“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.
“Twitter has already taken the account offline as of December 13, 2018.”
Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.
The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads
The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.
Below the list of commands supported by the malware:
|/processos||Retrieve list of running processes|
|/clip||Capture clipboard content|
|/username||Retrieve username from infected machine|
|/docs||Retrieve filenames from a predefined path such as (desktop, %AppData% etc.)|
According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local,
(SecurityAffairs –malware, memes)