Security research have discoverers a another example of how cyber-criminals hiding their malware activities as regular traffic by using legal cloud based services.
Trend Micro researchers have exposes a new malware that retrieves commands meme posted on a Twitter account controlled by attackers.
Most malware’s depends upon communication with their command-&-control server to get instructions from attacker’s and perform various malicious task on malware affect systems.
Since security software’s keeps an eye on the traffic to detect malicious IP’s. The attacker’s are widely using trusted sites and servers as infra-structure in their attacks make the malicious more tedious to detect.
A spotted malicious scheme, According to researchers is in its starting stage, the hackers uses stenography.
Stenography is technique hiding content in a digital graphic image in that way it’s invisible to an observer-in image hacker hides malicious commands embedded in meme post on Twitter, the malware’s then parses and executes.
Although the meme looks normal image to human eye, the command “/print hidden in the images metadata, which activate the malware to send Screenshot of victims computer.
The researchers named the malware as “TROJAN.MSIL.BERBOMTHUM.AA”. which is designed to check attacker’s twitter account and then download and scan image files for malicious commands.
Trend Micro researchers say that, the Twitter account in question was created in 2017 & contained only two posts on October 25 and 26 that delivered “/print” commands to the malware that instructs to take screenshots.
The malware then sends the screenshots to command and control server, whose address is obtained from “hard-corded” URL on the Pastebin site.
Beside taking screenshots, the malware can also be contains variety of other commands, such as to grab the account name of the logged in user, retrieve a list of running processes,get filenames from specific directories on an infected device, & grab a dump of user’s clipboard.
The malware appears to be in beginning stages of its development as the pastebin links points to a local, private IP address, “which is possibly a temporary placeholder used by the attackers.”
It’s worth noting that malware was not downloaded form Twitter itself, but the researchers currently haven’t found what mechanism used by attackers to deliver the malware to the victim’s machines.
The good news is that the Twitter account used to deliver malicious memes images appears to have been disable, but it is still not clear who is behind the malware & how the mysterious hackers was circulating malware.