The Latest Danger from Memes

Memes. They can be funny, sad, inspirational, or at other times downright offensive. I have some friends who literally invest significant time daily in checking out the latest viral meme. Whether you like them or not, memes have become big in pop culture. Some of the featured characters have gone on to crossover internet fame. Grumpy Cat, Kermit the Frog, and the “overly attached” girlfriend have entertained Americans for countless hours as they scroll through their timelines on the most downloaded social media apps in the world including Facebook, Twitter, and Instagram.

With the increased popularity of this new medium of expression come new dangers. Ever inventive, sophisticated hackers have now incorporated the use of steganography as a vehicle to deliver infectious malware.

Steganography is defined as data hidden within data. In computing, it is sometimes purposed as an encryption technique used to protect files. It can also be used to facilitate encrypted messaging. In the past, jihadists have employed a communication tool called MuslimCrypt, which uses steganography. Steganography can also be applied to video and audio files and has now found a malicious application via image files.  

According to reports, although the use of steganography to deliver malware via memes is thought to have originated in 2017 (when the Twitter account sharing the infected meme was created), it has only recently started to quickly spread via the popular Matrix Morpheus memes.

Research conducted by Trend Micro, the popular security intelligence blog, identifies the new threat, detected as TROJAN.MSIL.BERBOMTHUM.AA, as being introduced to systems via a legitimate service (Twitter). The trojan then employs the use of a commonly used meme to draw in the victim. The malicious tweets could not be removed until the account was disabled by Twitter. Twitter deleted the profile on December 13th of 2018.

The potential threat of widespread outbreaks involving steganography should be enough to keep IT professionals monitoring the personal use of computers on their networks in both the private and government sectors awake at night. Once the trojan is inconspicuously installed, it has the ability to download malicious memes from social media accounts you may be following on Twitter, Facebook, Instagram, and others to your computer.

It then begins to execute preloaded commands from the malware file hidden within the meme. The “print” command hidden in the meme allows the malware takes a screenshot of the infected machine before obtaining server information from commonly used text upload and sharing app Pastebin. The collected information or command output is then uploaded to a specific URL address.

This poses a threat to private businesses that carry proprietary business information and intellectual property on their systems. The stolen information can potentially be leveraged for profit, via sale of this ill-gotten intelligence to competitive businesses within the same industry. American businesses have already suffered as a result of stolen intellectual property, as the United States Trade Representative’s 2018 report into China's intellectual property theft found that "Chinese theft of American Intellectual Property currently costs between $225 billion and $600 billion annually."

Individual consumers can be victims of financial crimes as a result of steganography, as the infection initiates hidden "print" commands, which take screen captures containing usernames, passwords, birthdays, social security numbers, and potentially even credit card information from their victims.

Our government networks, ranging from election databases, to Industrial Control Systems (ICS) used to control many of our critical infrastructure, to even weapon commands systems are all potential victims as well.

We’ve already seen a 2018 cyberattack, carried out by Chinese government-backed hackers, that compromised the computers of a naval contractor working on a Navy submarine and underwater programs project.  This attack netted the Chinese government 614 gigabytes of data, including plans related to a supersonic anti-ship missile scheduled to be introduced by 2020 and other details about undersea warfare.

So, how will businesses, individuals, and the government deal with this threat? One potential remedy would be the instituting of department wide bans on social media in the work setting while operating work computers.

This potentially unpopular remedy could help, but given the plethora of other threats, including the deception campaigns known as “Active Security” and “Total Security”, that disguise threats as legitimate security programs in order to profiteer from stolen data and financial information, will we ever be able to fully secure our data systems?