New malware pulls its instructions from code hidden in memes posted to Twitter

NelsonG · December 17, 2018

Security researchers said they’ve found a new kind of malware that takes its instructions from code hidden in memes posted to Twitter.

The malware itself is relatively underwhelming: like most primitive remote access trojans (RATs), the malware quietly infects a vulnerable computer, takes screenshots and pulls other data from the affected system and sends it back to the malware’s command and control server.

What’s interesting is how the malware uses Twitter as an unwilling conduit in communicating with its malicious mothership.

Trend Micro said in a blog post that the malware listens for commands from a Twitter account run by the malware operator. The researchers found two tweets that used steganography to hide “/print” commands in the meme images, which told the malware to take a screenshot of an infected computer. The malware then separately obtains the address where its command and control server is located from a Pastebin post, which directs the malware where to send the screenshots — 10/10 points for creativity, that’s for sure.

The researchers said that memes uploaded to the Twitter page could have included other commands, like “/processos” to retrieve a list of running apps and processes, “/clip” to steal the contents of a user’s clipboard and “/docs” to retrieve filenames from specific folders.

The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.

But the researchers admit they don’t have all the answers, and more work needs to be done to fully understand the malware. It’s not clear where the malware came from, how it infects its victims or who’s behind it. It’s also not clear exactly what the malware is for — or its intended use in the future. The researchers also don’t know why the Pastebin post points to a local, non-internet address, suggesting it may be a proof-of-concept for future attacks.

Although Twitter didn’t host any malicious content, nor could the tweets result in a malware infection, it’s an interesting (although not unique) way of using the social media site as a clever way of communicating with malware.

The logic goes that in using Twitter, the malware would connect to “twitter.com,” which is far less likely to be flagged or blocked by anti-malware software than a dodgy-looking server.

After Trend Micro reported the account, Twitter pulled the account offline, suspending it permanently.

It’s not the first time malware or botnet operators have used Twitter as a platform for communicating with their networks. Even as far back as 2009, Twitter was used as a way to send commands to a botnet. And, as recently as 2016, Android malware would communicate with a predefined Twitter account to receive commands.