Rewterz

Rewterz Threat Advisory – A Second Sample of the Shamoon V3 Wiper

December 19, 2018
Rewterz

Rewterz Threat Advisory – CVE-2018-8653 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability

December 20, 2018

Rewterz Threat Advisory – Malware Controlled Through Command-containing memes on Twitter

SEVERITY: Medium

 

CATEGORY: Informative Updates

 

ANALYSIS SUMMARY

 

A set of commands have been retrieved from memes posted on a hacker-controlled Twitter account, containing malware controlled by hackers. The new threat is detected as (TROJAN.MSIL.BERBOMTHUM.AA), a malicious Trojan received via legitimate service of Twitter. The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the commands they include.

 

 

 

Attackers hid the “/print” command in the memes, which allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com. Following commands were retrieved from the memes.

 

Commands

/print (Screen capture)

/processos (Retrieve list of running processes)

/clip (Capture clipboard content)

/username (Retrieve username from infected machine)

/docs (Retrieve filenames from a predefined path such as (desktop, %AppData% etc.))

The malware can only be disabled by deletion of the malicious Twitter account.

 

 

IMPACT

 

Command execution on target device.

 

 

AFFECTED PRODUCTS

 

Twitter

 

REMEDIATION 

 

Do not download or click on attachments or links that are unexpected and do not seem to be coming from legitimate and verified sources.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.