Twitter Malware Links to Dark Web Hackers
Twitter Followers Targeted by Dark Web Hack
Twitter is the latest social media platform to come under attack from dark web hackers. According to a recent report, a malware campaign launched against Twitter was discovered by a team of cyber security researchers. So far, the discovered odd malware has been flooding the popular social media platform.
The Twitter security hack shows that the dark web hackers have managed to use images with links to malicious QR codes, which infiltrate the devices of followers of the social platform. Reportedly, the malicious QR codes plaguing Twitter have been shown to download malicious extensions of the Google Chrome browser.
Karsten Hahn is the cyber security analyst that discovered the malware and has documented his discovery in a blog post titled Malicious QR Codes On Twitter Elaborating. According to the detailed blog post, Hahn states that the research was done by multiple researchers, who spotted the spread of the malware as the malicious QR codes flood the Twitter social site.
With further investigation, the cyber security analysts realize that the dark web hackers intended targets were the millions of Twitter followers that traverse the social platform daily. The malicious Google Chrome extension usually uses lucrative images to attract the attention of Twitter users. In addition, once the targeted images are clicked, the advert in the form of pirated software disguised as an ISO file, replicates once the intended victim scans the malicious QR code. However, the disguised ISO file is programmed not to deliver the pirated software but serves as the loader for the malicious malware.
Twitter Followers Forced to Click Malicious Malware
The researchers revealed that the ISO file contains two main components; a _meta.txt, which has a PowerShell script, in addition, a downloader.exe. And with regards to the function of both components; the _meta.txt contains a PowerShell script encrypted with a substitution cipher. Next, the downloader.exe works as a .NET assembly.
Furthermore, it comprises a huge dictionary containing the substitution alphabet, which decrypts the PowerShell script in _meta.txt. Additionally, the PowerShell commands run every ten seconds as a scheduled task with the unique title ChromeTask.
Also, as stated by the cyber analysts, the malicious Google Chrome extension is downloaded by the PowerShell script. And specifically, these downloads have stealth properties that help them to evade being uninstalled by the affected user. Thus, if an individual attempts to visit the malicious Chrome extension; it would redirect to another path such as the “chrome://extensions” that would redirect to “chrome://settings”.
However, while the installed malicious extension has not been shown to run any damaging malware; it still performs session hijacking and will display intrusive ads in the background. Nonetheless, while being harmless at the moment, the infection has the potential to evolve into a more dangerous malware.
Above all, the leading cyber security analyst stated that the malicious malware, for now, works to garner revenue via unsolicited advertisements, along with search engine hijacking. Hahn also warned that malware loaders have a way of evolving as dark web hackers are always working to improve their malware projects.
Therefore, the only logical solution, at this time, is for everyone, especially Twitter users, to avoid clicking on images or files that are displaying QR codes.
