Security researchers said they’ve found a new kind of malware that takes its instructions from code hidden in memes posted to Twitter.The malware itself is relatively underwhelming: like most primitive remote access trojans (RATs), the malware quietly infects a vulnerable computer, takes screenshots and pulls other data from the affected system and sends it back to the malware’s command and control server.
What’s interesting is how the malware uses Twitter as an unwilling conduit in communicating with its malicious mothership.
Trend Micro said in a blog post that the malware listens for commands from a Twitter account run by the malware operator. The researchers found two tweets that used steganography to hide “/print” commands in the meme images, which told the malware to take a screenshot of an infected computer. The malware then separately obtains the address where its command and control server is located from a Pastebin post, which directs the malware where to send the screenshots — 10/10 points for creativity, that’s for sure.
The researchers said that memes uploaded to the Twitter page could have included other commands, like “/processors” to retrieve a list of running apps and processes, “/clip” to steal the contents of a user’s clipboard and “/docs” to retrieve filenames from specific folders.
The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.
But the researchers admit they don’t have all the answers, and more work needs to be done to fully understand the malware. It’s not clear where the malware came from, how it infects its victims or who’s behind it. It’s also not clear exactly what the malware is for — or its intended use in the future. The researchers also don’t know why the Pastebin post points to a local, non-internet address, suggesting it may be a proof-of-concept for future attacks.
Although Twitter didn’t host any malicious content, nor could the tweets result in malware infection, it’s an interesting (although not unique) way of using the social media site as a clever way of communicating with malware.
The logic goes that in using Twitter, the malware would connect to “twitter.com,” which is far less likely to be flagged or blocked by anti-malware software than a dodgy-looking server.
The good news is that the Twitter account used to deliver the malicious memes appears to have been disabled, but it is still not clear who is behind this malware and how the mysterious hacker was circulating the malware.