
Cybercriminals Use Malicious Memes That Communicate with Malware - sus_007
https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/
======
mherchel
If I were in a band, I'd seriously consider naming it the "Malicious Memes"

------
chippy
"It should be noted that the malware was not downloaded from Twitter and that
we did not observe what specific mechanism was used to deliver the malware to
its victims."

------
robarr
Is this not a waste of resources? the malware creators could open a twitter
account and post commands directly using established and apparently inocuous
phrases or words. tweeting “hi” is not a breach of ToS and is less
complicated.

~~~
zeveb
I think it's because a meme-repeating Twitter account looks more real than one
which is randomly saying 'hi' (or whatever) over and over and over.

It's pretty clever, because the malware needn't even necessarily be checking
the same account over and over: a DGA-style[0] approach could be used, in
which the malware checks a different account each day (or hour, or whatever).

Twitter has some options to find this sort of thing, of course, but malware
authors have some options to more-cleverly hide data, too. Encoding raw text
in an image is easy, and easily-found; encrypted (and hence random-looking)
data is harder to detect. Re-encoding images can destroy some sorts of hidden
data, but not others (e.g. lossy encoding will likely destroy data encoded on
low bits, but information encoded as large swaths of light or dark is less
likely to be lost).

Error coding could even be used to make the data more resistant to loss. I
don't know if there's a good way to make data all of resistant to loss,
encrypted and hidden though: seems like the structure of error coding would
make it detectable, while a high-apparent-entropy code would be more
susceptible to unrecoverable errors. But I'm not an expert in the field.

Those are just my off-the-cuff thoughts; someone _is_ an expert no doubt has
better thoughts to share.

0:
[https://en.wikipedia.org/wiki/Domain_generation_algorithm](https://en.wikipedia.org/wiki/Domain_generation_algorithm)

------
walrus01
Using Twitter and one way broadcast, plus stegonography seems like the malware
equivalent of a numbers station.

------
throw12311112
Can anyone elaborate how this code is actually executed?

If I download one of these images, which appears to embed CSharp Winform code,
how does it actually run within the system?

I suppose it couldn't unless taking advantage of some other exploit along the
way. And if that is the case, this article is perhaps a little incomplete.

~~~
jwilk
From the article:

 _The memes contain an embedded command that is parsed by the malware after
it’s downloaded from the malicious Twitter account onto the victim’s machine,
acting as a C &C service for the already-placed malware. It should be noted
that the malware was not downloaded from Twitter and that we did not observe
what specific mechanism was used to deliver the malware to its victims._

------
Rjevski
TLDR: malware uses meme images containing hidden instructions posted on
Twitter as a way to receive commands. It's one-way communication though - the
result of the operation is still uploaded to a C&C server.

~~~
mfoy_
So why would the malware not just check the C&C server for orders? Why hope
that your victim checks Twitter and sees your memes? This seems like a really
roundabout way of accomplishing something trivial (I mean, trivial as compared
to infecting a machine with your malware in the first place...)

~~~
dotancohen
Because that would reveal the location (IP address) of the C&C server, in
addition to making it a point of failure.

~~~
mfoy_
But the output of all the commands still sends to the C&C server, so I don't
see how this protects that. Unless, as the other user suggested, the memes
could actually also contain the IP to use for the C&C server. So the "order"
is akin to "upload username to ###.##.###.#"

