Twitter memes are being used to hide malware

2 min read

Last week, a group of security researchers reported that they have found a new malware that takes its instructions from code hidden in memes posted to Twitter. This method is popularly known as Steganography, a method popularly used by cybercriminals to abstract a malicious file within an image to escape from security solutions.

According to Trend Micro, some malware authors posted two tweets including malicious memes on 25th and 26th October. These images were tweeted via a Twitter account created in 2017.  “The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware”, reported Trend Micro.

According to the blog post, this new threat is detected as TROJAN.MSIL.BERBOMTHUM.AA. Also, this malware gets its command from a legitimate source, which they state is a popular networking platform. The memes cannot be taken down until the malicious Twitter account is disabled. Twitter, on the other hand, has already taken the account offline as of December 13, 2018.

Malicious memes are no laughing matter

The memes posted via the malicious Twitter accounts have a “/print” command hidden, which enables the malware to take screenshots of the infected machine. These screenshots are then sent to a C&C server whose address is obtained through a hard-coded URL on

Next, the malware will send out the collected information or the command output to the attacker by uploading it to a specific URL address.

According to Trend Micro, “During analysis, we saw that the Pastebin URL points to an internal or private IP address, which is possibly a temporary placeholder used by the attackers. The malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern:  “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.”

Source: TrendMicro

Researchers have also mentioned some other commands supported by this malware, which includes /processos to retrieve the list of running processes. /clip, to capture clipboard content, /username to retrieve username from the infected machine, and /docs to retrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to TechCrunch, “The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.”

After Trend Micro reported the account, Twitter pulled the account offline, suspending it permanently.

Read Next

How the biggest ad fraud rented Datacenter servers and used Botnet malware to infect 1.7m systems

How to build a convolution neural network based malware detector using malware visualization [Tutorial]

Privilege escalation: Entry point for malware via program errors