• Cybercriminals are using steganography to embed malicious payloads within memes to spread malware.
  • Cybercriminals posted two malicious memes in Twitter on October 25 and 26.

Cybercriminals are combining memes with malware to conduct various malicious activities. Hackers have been spotted using steganography to embed malicious payloads within memes to bypass security solutions and perform various malicious activities.

Attackers posted two malicious memes in Twitter on October 25 and 26 that contained an embedded link. The embedded link that is parsed by the malware is redirected to the C2 server after its downloaded from the Twitter account to the victims' system. Fortunately, the malicious memes were not downloaded. However, the technique used by the attackers to deliver malware to victims remains unknown.

Analysis on the malware

Researchers from Trend Micro dubbed the new malware as ‘TROJAN.MSIL.BERBOMTHUM.AA’. Researchers noted that the malware’s command is received through Twitter, where the attackers post the malicious memes. According to the researchers, these malicious memes cannot be removed unless the Twitter account that posted them is disabled. However, Twitter has already disabled the account as of December 13, 2018.

The two malicious memes contained a “/print” command hidden inside the images which enabled the malware to take screenshots of the infected victim’s machine and send it to the C2 server.

Researchers found that once the malware was executed on an infected machine, it is able to download the malicious memes from the Twitter account to the victim’s machine. In the case of the “print” command hidden in the memes, the malware takes a screenshot of the infected machine and sends the collected information or the command output to the attacker by uploading it to a specific URL address, after obtaining the control server information from Pastebin.

Researchers also observed that Pastebin URL points to an internal or private IP address, which is a temporary placeholder used by the attackers. The malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern: “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.

“The embedded commands instruct the malware to perform various operations on the infected machine, such as capture screenshots, collect system information, among others. Once the malware downloads the image, it attempts to extract the command that starts with the ‘/’ character,” Trend Micro researchers said.

Cyware Publisher