Flashback Malware: New Variant Changes Twitter Hashtags

Posted on March 8th, 2012 by

We recently reported on how the Flashback malware was using Twitter as a command and control center, using a correspondence table between dates and four-letter strings, combining them to make twelve-letter strings. The malware sends HTTP requests to Twitter ever hour, searching for these hashtags, and only those tweets posted since the last time it checked, but we have yet to find any actual tweets containing them.

After our blog post, the latest variant contains a slightly different correspondence table. One letter in most of the four-letter codes has changed, and one is the same. Here are the new codes:

0 gsqj 18 kddd
1 dljt 19 neal
2 yxad 20 hcca
3 kpdh 21 dqzo
4 izaw 22 kxag
5 pepb 23 vpqt
6 ezvn 24 wdld
7 hwbd 25 nsiy
8 d2ir 26 mlvo
9 rnep 27 rdel
10 uqdw 28 zdxl
11 jfng 29 dlno
12 xloa 30 bcti
13 rpdg 31 eoof
14 aefl 32 msan
15 ocur 33 xlco
16 dppu 34 jsiq
17 jeuv

We're certain that this change was made because we published the previous codes. We will continue publishing them each time we find new codes.