Researchers have observed a new threat using malicious memes posted on Twitter to receive command-and-control (C&C) instructions. Trend Micro observed that the malicious activity begins after a threat detected as "TROJAN.MSIL.BERBOMTHUM.AA" executes on an infected machine. As of this writing, the Japanese multinational digital security firm had not identified the delivery mechanism for the malware. Though it had ruled out Twitter as a means of downloading the trojan. Upon execution, the malware looks up two tweets posted on 25 October 2018 and 26 October 2018 and then downloads two memes contained therein. The memes themselves look benign. But they actually employ steganography, a practice which has featured prominently in previous data exfiltration campaigns, to conceal malicious commands for the trojan.
A screen capture of the malicious Twitter account with one of the malicious memes shown. (Source: Trend Micro) Aliakbar Zahravi, malware analyst at Trend Micro, discusses one such command contained in the malicious memes:
In the case of the “print” command hidden in the memes, the malware takes a screenshot of the infected machine. It then obtains the control server information from Pastebin. Afterwards, the malware sends out the collected information or the command output to the attacker by uploading it to a specific URL address.
At the time of their analysis, Zahravi and his fellow Trend Micro researchers observed the Pastebin URL pointing to an internal or private IP address, which the digital attackers could be using as a temporary placeholder. The security firm found that the malicious memes contained five commands in total. Aside from "print," the malware could extract the "/process" instruction to acquire a list of running processes on the infected machines. It could also use "/clip" to capture clipboard content, "/username" to obtain the username for the infected machine and "/docs" to retrieve filenames from a predefined path. Twitter suspended the account hosting these malicious memes on 13 December 2018, but that won't put a stop to bad actors using the same technique to communicate with other malware. Acknowledging this reality, not to mention the fact that this trojan's delivery mechanism remains unknown, it's important for users to protect themselves by installing an anti-virus solution onto their machines and keeping it up-to-date. They should also exercise caution around suspicious links and email attachments.