Everyone likes a good meme; those cartoons, doctored photos, or jokes that try to encapsulate a cultural moment in a humorous package. They are often political but don’t need to be. The important goal is to get them shared by many people…and that’s where hackers come in.
Hackers often use spambots to help distribute their malware. Good spambots will send millions of phishing emails out into the void hoping that a few of them will be opened and allow malware to be installed on a victim’s computer or device. However, good spambots cost money. Memes can be distributed for free to millions of people.
But aren’t memes just images? How can malware be hidden in a simple image? On the surface, that may seem like a fair question, but, remember, digital images are just digital code that is used to represent something in the real, analogue world. If, within this digital representation, someone adds code that activates malware, you have created a malware distribution mechanism.
The idea of hiding information in images has been around for a long time. The technical name for this is, steganography. In the past, I have written on how terrorists communicate through images uploaded to public websites. I also showed how images can be hidden within images. The picture on the right below
has this image hidden within it.
So how difficult would it be to hide some code that communicates with malware?
Recently, cybersecurity firm, Trend Micro, found criminals trying to hide malware-related code in memes that criminals posted on Twitter. The hidden code in the meme would serve as a C&C (command and control) server which could be used by the criminals to send commands to malware residing on infected devices.
Trend Micro did not determine how the initiating malware got on an infected machine, but, apparently, once it was there, it would download its orders from the meme on a Twitter account. The interesting aspect of this malware is that it is using Twitter as a sort of C&C server. In other words, all the malware commands will come via Twitter. So, in order to stop the malware, Twitter was forced to take down the account that was posting the memes. Malware has been distributed through social media since the creation of social media; however, using it as a platform to give commands to malware is a creative, although not totally unique, idea.
This particular malware was programmed to take screenshots on the infected device and send them to an address found on pastebin.com. Here are a list of commands Trend Micro found associated with this malware.
But why would the criminals use Twitter as a command center? The answer is that it is a well-known domain that many antivirus or other cybersecurity programs/architecture would not try to block communication with. If the criminals used some little known site to get the job done, any communications with it might be blocked. Twitter.com is most likely white-listed.
But once the account was taken down, it could no longer communicate with the malware, so what could the criminals do? The obvious answer is that they could simply make another account and post another weaponized meme. The problem would be that the malware on the infected device would be looking for a particular Twitter account that no longer existed. But, since the malware was still actively communicating with a pastebin page, it may be possible for the criminals to communicate with the malware and alter the parameters of the meme target.
And that finally brings me to my main point. Imagine that people actually shared the Twitter account’s meme. The criminals would know the accounts of those who shared the meme and would, then, be able to form a distribution network. In other words, every time the meme was shared, the site that shared it would, unknowingly, be part of the malware’s C&C. Then, if Twitter took down the original criminal site, they would have a backup that was, in fact, a legitimate account.
As it stands now, few people would really want to share the meme on the criminal account. Good memes are funny memes. We all have different ideas of humor, but, at least for me, the meme shown on the actual criminal site below is not LOL- enabled.
Some investigators have suggested that this is only a proof of concept exercise run by the criminals to set up a more serious attack in the future.
So what would a future attack look like? First of all, it would need a well-designed phishing angle to get the actual malware onto a particular device. The fact that they want to hide the C&C communication by using Twitter indicates that the criminals may be planning to compromise a corporate or government network whose architecture may allow employees to contact Twitter.
If they want to use a meme as the command device, they’d better work on one that would be funny enough to be distributed to other accounts, in case they needed those accounts as a backup. Anyone can make a meme using the Morpheus Matrix image by using a free Morpheus Meme generator, but having a sense of humor would help. It seems there’s more to a successful hacking campaign than good coding skills.