Twitter malware ‘pidoras6 ‘

It seems that the Twitter account ‘Pidoras6’ is being used in a malware campaign. The Twitter account is seen in multiple executable files which has been marked as malicious on Virustotal.

Twitter malware gets info from Twitter
The Twitter malware is seen to perform a HTTP get request

Remarkable connections by pidoras6

The connections made by the malware seem to go to Twitter and Virustotal itself:

  • http://www.virustotal.com/vtapi/v2/file/scan
  • http://twitter.com/pidoras6

The Twitter account ‘Pidoras6’ was registered in June 2014, and since then, it has published a massive score of ‘4‘ tweets.

Virustotal on pidoras6

Once you take a look at collection of files, you will notice that there is a big amount of samples named ‘1.exe’ that are being uploaded to Virustotal. These files have the Twitter account in common.

Malware samples which connect to Twitter
Various samples which connect to Twitter

SHA-256 checksums

The following checksums were found on VirusTotal:

dc00a5948d4a4a2ff47a682a422ec0454ecf25f98d4b9223f145ff083fa53b19
dd7e65e21a8136e6bdd2e8a9213c5f1cb7df3ed691769ad37c5a8a22c04f9ad3
68bcdb0b6d70b4a23983c6b32b7f75850646eefa1546c7a429c815fd704939c9
d729b3456890655585cedd4351413ccdb788e0ce65ba4395129c51e808268939
7cd45fd9e4dd9565fd53dbf73c407319d84cc5d6f514ee28089a806b7c1d75f9
435a37f79b1d0ba37b490235aaeae6cf238774a70fb911b9d43cd4b64aa53a67
3c40ffe7abb6a244191c750859ac4ae4a3f4a4068b0867bf9513954e9210cb99
b278201bb90356cc7e1e99a1713c18c54584c5446b0cc1e6ea27f99dbcdfd906
d2ccc44da6e6d28631f11c616f60249c800c9e3cbf07e327ea232688cacd2f9e
fba5edc2231e11879fc692afae39469329f588b3d3ee451558e33e7233656c75

Twitter malware

Malware authors do utilize Twitter as their C&C or communication channel. They publish the commands or actions via (private) tweets, and the malware makes sure that it visits the Twitter page to receive those commands or actions.

Twitter does not host any malicious content, nor do the found tweets result in a malware infection.

Translate the tweet

Base64 tweet

In base64, this Tweet says: https://w0rm.in/join/join.php. The site no longer resolves, but it used to be an underground board where website exploits were offered.

Since 2017

The malware was first reported on by MalwareBytes in 2017.

Share this information