Memes Shared on Twitter Infected with Malicious Code

If you find this useful please share it!



 

Memes. They’re cute. They’re funny. And they’re infected. That’s what researchers are saying about memes posted on Twitter from a particular account. The memes had commands embedded in their code, so that to look at the meme it looked normal, but when a computer infected with the particular malware encountered the meme, it would read the command and then execute it.

For example the code “/print” was embedded in the memes, which would cause the infected computer to take a screenshot.

In explaining the malicious memes, Hacker News said “Besides taking screenshots, the malware can also be given a variety of other commands, such as to retrieve a list of running processes, grab the account name of the logged in user, get filenames from specific directories on an infected machine, and grab a dump of the user’s clipboard.”


 

Commands that were discovered in the memes include /print (does a screen capture), /processos (retrieves a list of the processes running on the infected computer), /clip (grabs the contents from the computer’s clipboard), /username (grabs the username from the infected computer), and /docs which retrieves files.

Once the computer executed the commands, it would pass the results back to the bad guys.

The technique of hiding malicious content within the code of a digital image is known as steganography. Steganography has been around, and used by cyber criminals, for a while, however using it in this way – to embed commands in an image on social media, and to have the infected computers call home to the images in a particular Twitter account to get their orders, is new.


 
(Article continues below)
Read Internet Patrol Articles Right in Your Inbox
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Memes Shared on Twitter Infected with Malicious Code
Or get notified of new Internet Patrol articles for free!

Said the researchers who discovered it, “This new threat is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.”

The Twitter Account that was Posting the Malicious Memes
infected meme twitter account

The malware that is running on the computers, christened TROJAN.MSIL.BERBOMTHUM.AA by researchers, is Windows malware. Once a PC is infected with TROJAN.MSIL.BERBOMTHUM.AA, it can read the hidden code in the memes, and then execute the commands contained within the meme.

The good news is that the infected memes were coming from one particular Twitter account, which Twitter has now shut down, and at the time there were only two such memes in the account, which were posted in October.

The bad news is that you can certainly expect more of this sort of exploit. And by having one component of their scheme resident on a public platform like Twitter, the bad guys have the advantage that nobody is going to shut Twitter down, like they would a private malware server.

If you think that your computer may have become infected, there are instructions for removing TROJAN.MSIL.BERBOMTHUM.AA here

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

Memes Shared on Twitter Infected with Malicious Code

Get notified of new Internet Patrol articles!

If you find this useful please share it!

1 Reply to “Memes Shared on Twitter Infected with Malicious Code”

Leave a Reply

Your email address will not be published. Required fields are marked *