Recent findings by security researchers have highlighted a concerning trend in cybercrime, where attackers use seemingly harmless cloud-based services to hide their malicious activities. Trend Micro has discovered a new malware variant that is particularly striking for its use of steganography—concealing malicious commands within memes posted on a Twitter account controlled by the hackers.
This malware operates by retrieving commands embedded in memes, thus bypassing traditional security measures that monitor network traffic for malicious activity. Typically, malware communicates with command-and-control servers to receive directives. However, by exploiting legitimate platforms like Twitter, attackers can effectively obscure their operations, complicating detection efforts.
The malware in question, designated as “TROJAN.MSIL.BERBOMTHUM.AA,” monitors a specific Twitter account for memes, which it scans for hidden commands. For example, within the file metadata of an innocuous-looking meme, a command instructs the malware to capture screenshots of the infected system and send them to a remote server controlled by the attackers.
Research indicates that the Twitter account linked to this malware was created in 2017 and contained only a couple of memes posted in late October 2022. These memes communicated commands that directed the malware to generate screenshots. Worth noting is the fact that these commands were designed to lead the malware to send screenshots to a control server located via a hard-coded Pastebin URL.
The malware’s capabilities extend beyond simply taking screenshots. It can also retrieve running processes, collect the logged-in user’s account name, gather file names from specific directories, and extract clipboard data from the victim’s machine. This multifunctionality raises concerns about the potential for extensive data leakage from compromised systems.
Importantly, the malware does not derive from Twitter directly, nor has there been a clear methodology identified for how it reaches victims’ devices. The good news is that the identified Twitter account responsible for distributing the memes appears to have been disabled, although the identity of the attackers remains unknown.
Investigating this incident through the lens of the MITRE ATT&CK framework points to numerous tactics and techniques that may have been employed. The initial access could have involved leveraging social engineering techniques, while persistence might be achieved through the meta commands within the memes. Techniques for privilege escalation are also likely, given the malware’s capabilities to extract sensitive information and conduct background activities.
In conclusion, this case underscores the importance of vigilance among businesses regarding cybersecurity threats, especially those utilizing legitimate platforms as a façade for malicious intent. Although Twitter’s proactive measures have mitigated immediate risk by disabling the account, the evolving nature of such threats warrants continuous monitoring and robust cybersecurity strategies to ensure protection against similar attacks in the future.
