Hacker uses internet meme to send hidden commands to malware

A recently discovered piece of malware has a unique way of communicating with its creator—through an internet meme posted on Twitter.

The mysterious hacker has been using the "What if I told you" meme to secretly tell a Windows-based strain of malware when to grab screenshots from infected PCs, according to security firm Trend Micro.

Although the internet meme look like an ordinary digital image, a simple command is hidden in the file's metadata, Trend Micro VP Mark Nunnikhoven says. The malware, on other hand, has been designed to look up the hacker's Twitter account and scan image files for the secret commands.

"The messages used for this malware are very small (typically one word) meaning that they can be hidden between the metadata and actual pixel layout without changing the image itself," Nunnikhoven said in an email.

The hacker appears to have only posted two malicious memes — on Oct. 25 and 26 — with the command "/print," which will order infected Windows PCs to take a screenshot. Other hidden commands the hacker could've sent through the memes include "/clip" to capture clipboard copied content, and "/processos" to retrieve a list of running processes over the PC.

The practice of concealing messaging in nontext files such as images or video is called steganography, and it's become an effective way for hackers to sneak malicious code onto people's computers or send hidden commands over the open web.

"Most networking monitoring programs won't notice anything odd about access to Twitter.com," Nunnikhoven added. "A site that's based around a timeline like Twitter also allows the attacker to sequence commands for the malware. This can be an effective way of building a solid command and control channel."

The good news is that Twitter has disabled the hacker's account on its platform. But it isn't clear how the mysterious attacker was circulating the malware, a Trojanized .exe file.

In response to Trend Micro's findings, Twitter told PCMag: "Keeping people safe and secure on Twitter is our top priority. If content on Twitter is used for malicious purposes, we take action and remove it. Twitter plays no part in the distribution of the malware involved in this campaign."

However, the company didn't address questions over what Twitter can do to stop similar meme-based malware schemes in the future. Meanwhile, others have shown you can cram a whole lot of data, include ZIP archives, inside an image on Twitter, raising the possibility that hackers could employ the same tactic again.