Information security specialists have discovered an unusual malware that accepts commands hidden in memes posted on Twitter. After that, the program collects data in accordance with the received command and sends it to the server, the address of which is also learned from the intermediate and publicly available service, say researchers in the Trend Micro blog.
Attackers often do not act directly, but hide the work of their software. Often, steganography is used for this — a data transfer method that hides the fact of the transfer itself. For example, malicious software may be hidden in a file that has the extension of not an executable file (.exe, .bin and others), but images (.jpg, .png and others). Due to this, the user himself and the anti-virus mechanisms in the system may not suspect that the malicious file has entered the computer.
ESET virus analyst Lukasz Stefanko.
Specialists from Trend Micro have discovered a new way to use steganography for malicious software: hiding commands for memes. Experts studied the code of the detected program and found out the mechanism of its work. After hitting the victim’s computer and starting work, the program downloads data from a specific page on the Pastebin service and learns from there the address of the attacker’s server. After that, she collects data from a specific twitter account and searches for images. The program then looks for a hidden command in the image file, starting with the “/” symbol, executes it, sending the data to the attacker’s server.
The researchers found a local address from the code in the Pastebin account, and in the corresponding account on Twitter there were only two memes containing the hidden command “/ print”, after which the program took a screenshot of the victim’s screen. Apparently, the detected program was used by the authors as an experimental verification of the method, and not as a full-fledged software for collecting data from many users.
In addition to the “/ print” command, the researchers found several more available commands in the malicious code. “/ Processos” collects data about running processes on the user’s computer, “/ clip” collects data from the clipboard, “/ username” records the user name on the computer, and “/ docs” records the names of files in a specific directory.
The researchers note that this technique allows you to hide the receipt of commands, because usually anti-virus programs do not recognize calls to social networks and other popular sites as suspicious. It is worth noting that attacks using the commands embedded in the images and placing these images on social networks have already been used before. In addition, some attackers used simpler methods in which Twitter users publish commands for the virus in text form.