Mask virus program under normal files, criminals have learned for quite some time. Beginner user just regular mp3 files, pictures in jpeg or word document doc format will not cause any suspicion. Sometimes it even opens and will perform its direct function. However, within such files can contain malware and anti-virus successfully fight with him. But as it turned out, the old method was able to adapt in order to hide viruses in images with a meme.
It is worth to mention that while all of what will be discussed applies only to social network Twitter. However, once the vulnerability was there, no one is immune from the fact that in the future other platforms can be dangerous.
“Contagious” memes at first glance are the usual pictures with one exception. Code file contains the embedded command, which is activated remotely after the file has been downloaded to your PC after viewing an infected tweet. It should be noted that malware is not loaded from Twitter. Social network merely acts as a temporary storage for commands the download.
Code analysis and malware
Screenshot of an infected Twitter account
After getting on the computer, the program starts to act like a Trojan and downloads data from the Pastebin service. After that the virus starts to read the ID of the meme and to perform all of the commands starting with “/”, sending the data to the criminals. As found by Trend Micro in the course of the investigation, the malware authors have published two tweets with malicious meme on October 25 and 26 via a Twitter account created in 2017. These files are found the command “/print” capture screen “/processos” -data about the running processes, the “/clip” — information on the clipboard, “/username” — data about your account,”/docs” — information about the file names in a directory.
Administration Twitter and those who found dangerous code has already taken a number of measures to prevent the spread of viruses in social networks. But we still do not advise you to sign up for doubtful accounts and to refrain for a while from reading the Twitter feed from a personal computer. Smartphones are currently not affected by this vulnerability.