An article by Bleeping Computer today shows how a researcher and programmer, David Buchanan, createded a Twitter file image that can be embedded with an .MP3 or Zip file. The demonstration file MP3 is … you guessed it. Rick Astley’s Never Gonna Give You Up. Yup. A Twitter image can apparently deliver a Rick Roll. You have to save the image and rename it with an MP3 extension.
"The fact that Twitter may not always strip extraneous information from an image, as demonstrated by Buchanan, opens up room for the platform’s abuse by threat actors.
Moreover, what poses an additional challenge is blocking Twitter image traffic may impact legitimate operations.
For example, a network administrator blocking Twitter’s image domain pbs.twimg.com would also cause legitimate images hosted on Twitter to be blocked.
That being said, Buchanan believes his PNG image proof-of-concept technique may not be particularly useful by itself as more steganography methods are viable.
"I don’t think this technique is particularly useful for attackers, because more traditional image steganography techniques are easier to implement (and even more stealthy)."
However, more likely than not, the PNG technique demonstrated by the researcher could be used by malware for facilitating its command-and-control C2 activities.
But maybe it could be used as part of a C2 system, for distributing malicious files to infected hosts," Buchanan further told BleepingComputer. "