News, blogs, opinions — Twitter is one of the most popular social networks for spreading ideas. It has revolutionized the way millions of people consume news. With 288 million active users, Twitter is the world’s fourth-largest social network, so it’s no surprise that Twitter malware attacks are on the rise.

IBM’s Tanya Shafir has recently identified an active configuration of financial malware targeting Twitter users. The malware launches a Man in the Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets. The malware, which has been used to gain access to users’ credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time, the attack is targeting the Dutch market. But because Twitter is used by millions around the world, this type of attack can be used to target any market and any industry.

Tweeters Beware

The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter’s APIs, and then posts new, malicious tweets on behalf of the victim. Here is an excerpt from the injected Javascript code:

Here are some examples of the tweets posted by the malware from victims’ accounts (tweets containing explicit content were omitted from this blog post):

  • Original text (in Dutch): “Onze nieuwe koning Willem gaat nog meer verdienen dan beatrix. check zijn salaris”
    • (English translation: “Our new King William will earn even more than Beatrix. Check his salary”)
  • “Beyonce valt tijdens het concert van de superbowl, zeer funny!!!!”
    • (“Beyonce falls during the Super Bowl concert, very funny!!!!”)
  • “topman [Dutch Bank] gaat ervandoor met onze miljoenen!! De minister heeft weer het nakijken… zie”
    • (“CEO of [Dutch Bank] is off with our millions!! The minister is inspecting again… see.” N.B., we have removed the bank’s name from the original tweet)

The tweets include the following malicious links (all appear to be inactive at the moment):

  • hXXp://
  • hXXp://
  • hXXp://
  • hXXp://

IBM researchers found these texts in multiple Twitter posts indicating that this attack has been successful at ensnaring victims.

Protecting Users and Enterprise Endpoints from Twitter Malware

This attack is particularly difficult to defend against because it uses a new, sophisticated approach to spear phishing. Twitter users follow accounts that they trust. Because this Twitter malware creates malicious tweets and sends them through a compromised account of a trusted person or organization, followers assume the tweets are genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message and a shortened URL. However, a shortened URL can be used to disguise the underlying address so that followers have no way of knowing if the link is suspicious.

While Trusteer did not inspect the URLs posted, it is quite possible that these URLs lead to malicious Web pages. If so, when the browser renders the Web page’s content, an exploit can silently download the malware to the user’s endpoint (a drive-by download).

This type of attack increases the need for enterprise exploit prevention technology. By blocking the exploitation of vulnerable endpoint user applications such as browsers and preventing the malware download, exploit prevention technology stops the attack and prevents the malware from spreading and infecting more users. External sources like Web content and email attachments, which can include a hidden exploit in the form of embedded code, should never be trusted. Such content should only be opened while monitoring the application state to ensure it is operating legitimately.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how

More from Malware

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read