A Nastier Use of Memes Discovered, To Remote Control A Trojan Horse
Security experts have been using isolated real-world systems in order to forensically study malware for ages. These ‘honey pots’ are very productive instruments for developing countermeasures against malware. The quarantined sample is being observed in a closed environment, while the malware itself believes it is running and infecting a real production machine. Of course the malware authors will not let their rivals to continue observing their creation in a controlled environment and blow its cover of how it operates.
According to TrendMicro, a mainstream antimalware vendor, a malware author started to use memes sent through Twitter in order to issue commands to the malware residing on the infected computer. This clever trick used by TROJAN.MSIL.BERBOMTHUM.AA bypasses the suspicion of users and observers alike, including the security researchers that isolate malware through the use of honey pots. The meme sent by the malware author comes with a specially coded metadatum that the malware will interpret as a specific command.
One such meme used is the What if I told you, a popular meme with the Matrix’s Morpheus image (see sample below).
From a simple observer’s point-of-view, the image above is innocent, but the version used by the malware author contains a special metadata entry which instructs the malware of its next move. Steganography is fairly ordinary in hiding information or message in plain sight, taking advantage of human’s perception of what is important or not. However, according to TrendMicro, this is the first time memes are used to hide malware-control commands.
“The malware authors have posted two tweets featuring malicious memes on October 25 and 26 via a Twitter account created in 2017. The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware. It should be noted that the malware was not downloaded from Twitter and that we did not observe what specific mechanism was used to deliver the malware to its victims,” explained Aliakbar Zahravi, TrendMicro’s Malware Analyst.
TROJAN.MSIL.BERBOMTHUM.AA in particular has the capability to parse memes for its metadata, and able to take screenshots of the infected computer once it detects a ‘/print’ command in the metadata tag. The virus author is able to receive the screenshots through the use of a specifically created Pastebin URL.
Zahravi continued to probe the other functions of the Trojan and he was able to determine at least five possible commands that the author can issue:
|/processos||Retrieve list of running processes|
|/clip||Capture clipboard content|
|/username||Retrieve username from infected machine|
|/docs||Retrieve filenames from a predefined path such as (desktop, %AppData% etc.)|
“At the time of analysis, the two memes (DqVe1PxWoAIQ44B.jpg and DqfU9sZWoAAlnFh.jpg) contained the command “print”. The embedded commands instruct the malware to perform various operations on the infected machine, such as capture screenshots, collect system information, among others. Once the malware downloads the image, it attempts to extract the command that starts with the ‘/’ character,” concluded Zahravi.