Security researchers from Trend Micro have discovered a new piece of malware that retrieves commands from memes posted on Twitter by an account controlled by attackers.
Traditional malware typically relies on communication between the victim’s device and the attacker’s command-and-control server in order to receive instructions and perform nefarious tasks on the infected devices. However, this often means the malware is detected by security software and as a result, never reaches the victim. To combat this, attackers have recently started hiding the malware within a digital graphic image so that it is invisible to the victim, and also can bypass detection. Attackers are increasingly using legitimate sites and servers so they are more difficult to detect.
The meme looks unsuspicious to the victim, but actually contains a “/print” command hidden in the file’s metadata which forces the malware to take a screenshot of the victim’s computer and send it to the attacker’s command and control server.
The Twitter account that contains the malicious memes was created in 2017 and only contains two memes with the “/print” command.
As well as taking a screenshot, the malware also captures the account name of the logged in Twitter user, retrieve a list of running processes and get filenames for specific directories.
Researchers aren’t sure what mechanism is being used to deliver the malware to the victim’s computer, only that the malware is not downloaded from Twitter itself.
The Twitter account now appears to have been disabled and it still isn’t clear who is behind the malware and how it is being circulated.