That Awkward Moment When Cybercriminals Use Memes To Hide Malicious Code

Researchers from Trend Micro have reported the discovery of two Twitter posts containing malicious memes that feature hidden code that acts like a command-and-control service for downloaded malware.

In a blog post published late last week, the researchers said the tweets were posted on Oct. 25 and 26, respectively, using a Twitter account created back in 2017. Abusing the meme this way is essentially a unique form of steganography, a technique used by malware developers to conceal malicious code inside images in order for it to go undetected.

In this case, the memes hid a “/print” command, which tells the malware to take screenshots of the infected machine and then exfiltrate images to an attacker-controlled server whose address is available via a hard-coded URL on Pastebin.com.

Trend Micro identities the corresponding malware as TROJAN.MSIL.BERBOMTHUM.AA. Researcher and blog post author Aliakbar Zahravi said the threat is “notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.”

This malware supports other commands besides “/print,” including commands for capturing clipboard content, and collecting host machine information, including usernames, running processes and file names. It is not clear, however, what the method or vector is through which the malware infects its victims.

Twitter removed the offending account on Dec. 13, Trend Micro added. A screenshot provided by the cybersecurity company shows that one of the memes featured an image of Laurence Fishburne in The Matrix, with words that read: “WHAT IF I TOLD YOU THE RESOURCES ARE NOT REAL”. The user’s display name in the screenshot was “bomber”.

Twitter’s shares fell seven percent yesterday following the Trend Micro report, as well as a public disclosure from the social media giant that it was investigating unusual online support forum traffic that could have been the work of state-sponsored hackers.