Flashback Malware: New Variant Changes Twitter Hashtags
Posted on
by
Peter James
We recently reported on how the Flashback malware was using Twitter as a command and control center, using a correspondence table between dates and four-letter strings, combining them to make twelve-letter strings. The malware sends HTTP requests to Twitter ever hour, searching for these hashtags, and only those tweets posted since the last time it checked, but we have yet to find any actual tweets containing them.
After our blog post, the latest variant contains a slightly different correspondence table. One letter in most of the four-letter codes has changed, and one is the same. Here are the new codes:
| 0 | gsqj | 18 | kddd |
| 1 | dljt | 19 | neal |
| 2 | yxad | 20 | hcca |
| 3 | kpdh | 21 | dqzo |
| 4 | izaw | 22 | kxag |
| 5 | pepb | 23 | vpqt |
| 6 | ezvn | 24 | wdld |
| 7 | hwbd | 25 | nsiy |
| 8 | d2ir | 26 | mlvo |
| 9 | rnep | 27 | rdel |
| 10 | uqdw | 28 | zdxl |
| 11 | jfng | 29 | dlno |
| 12 | xloa | 30 | bcti |
| 13 | rpdg | 31 | eoof |
| 14 | aefl | 32 | msan |
| 15 | ocur | 33 | xlco |
| 16 | dppu | 34 | jsiq |
| 17 | jeuv |
We’re certain that this change was made because we published the previous codes. We will continue publishing them each time we find new codes.