It’s always fun to watch malware developers using different techniques to code their creations. Sometimes it’s a matter of obfuscation, placement, injection, but this time it’s how they code it to be dynamic.
I believe this is not the first one that uses this service, but it’s the first time I’m seeing it. The concept is not new, we have often seen Twitter and Ask.fm accounts being used as malware Command & Control (C&C) servers, but now we can add Tumblr to the list.
A few weeks ago we found an iFrame injection that was relying on Tumblr to trigger the payload.
Tumblr lets you effortlessly share anything. – Tumblr
It appears they take this motto to heart!
How Does It Work?
The anatomy of this attack is very interesting.