Security researchers said they found a new type of malware that takes instructions from code hidden in memes posted on Twitter.
Malware itself is relatively underwhelming: like most primitive remote access trojans (RATs), malware infects a vulnerable computer, takes screenshots and draws other data from the affected system and sends it back to the malware command and control server.
What's interesting is how malware uses Twitter as an unwilling channel in communication with its malicious mother ship.
Trend Micro said in a blog post that malware listens to commands from a Twitter account that is being run by the malware operator. The researchers found two tweets that used steganography to hide "/ print" commands in meme images, which told malware to take a screenshot of an infected computer. Malware then separately retrieves the address where the command and control server is from a pastebin mail, which targets malware where to send screenshots.
The researchers said that memes uploaded on the Twitter page could have included other commands, such as "/ processos" to retrieve a list of running programs and processes, "/ Cut" to steal the contents of a user's clipboard, and "/ docs" to retrieve file names from specific folders.
Malware appears to have occurred only in mid-October, according to a hasanalysis of VirusTotal, around the time the Pastebin post was created first.
But scientists admit that they do not have all the answers and more work needs to be done to understand malware. It is not clear where malware came from, how it infects its victims or who is behind it. Nor is it clear what malware is for – or it will be used in the future. The researchers also do not know why the Pastebin post points to a local, non-internet address, which indicates that it can prove the concept of future attacks.
Although Twitter was not hosted by any harmful content, it could also not result in malware infection; it's an interesting (but not unique) way of using the social media area as a smart way to communicate with malware on.
The logic goes as if using Twitter, malware will connect to "[ twitter.com " which is far less likely to be flagged or blocked by anti-malware software than a dodgy-served server.
After Trend Micro reported the account, Twitter took the account offline and suspended it permanently .
This is not the first time malware or botnet operators have used Twitter as a platform for communication with their networks. Even as far back as 2009, Twitter was used as a way to send commands to a botnet. And as soon as 2016, Android malware will communicate with a predefined Twitter account to receive commands.