Delaware, USA – December 17, 2018 – Adversaries use steganography to hide commands in malicious memes posted on Twitter. Researchers from TrendMicro discovered a new malware strain that downloads images from a specific Twitter account to extract the command that starts with the ‘/’ character. The trojan is capable of making screenshots, retrieving username and list of running processes, capturing clipboard content and stealing files from specific directories. The malware uploads stolen information to the attacker’s server, the address of which is obtained from attackers’ Pastebin account. Currently, a malicious Twitter account is blocked. At the time of discovery, there were 2 posted memes containing the command ‘/print’ (make a screenshot), but adversaries could delete posts to hide details of their operations.
It is worth noting that cybercriminals use steganography not to deliver malware, but to operate it. Using Twitter allows them to send commands without causing suspicion of security solutions. If the security officer views a malicious social network profile, he sees only a set of memes. It is not yet known how the malware infects systems, as well as if this is the final version or adversaries are testing the tool before a real attack. The functionality of the trojan is not impressive, but it is enough to prepare a more sophisticated attack or steal sensitive information. To detect volume-based data leakage, you can use the Netflow Security Monitor rule pack, which enables real-time traffic profiling and notifies SIEM administrators of any suspicious traffic spikes: https://my.socprime.com/en/integrations/netflow-security-monitor-kibana