Russian malware communicates by leaving comments in Britney Spears’s Instagram account

A key weakness in malicious software is the “Command and Control” (C&C) system: a central server that the malware-infected systems contact to receive updates and instructions, and to send stolen data. Anti-malware researchers like to reverse engineer malicious code, discover the C&C server’s address, and then shut it down or blacklist it from corporate routers.

Turla is an “advanced persistent threat” hacking group based in Russia with a long history of attacking states in ways that advance Russian state interests — suggesting that they are either a part of the Russian espionage system, or contracting to it.

A new analysis by Eset shows that Turla is solving its C&C problems by using Britney Spears’ Instagram account as a cut-out for its C&C servers. Turla moves the C&C server around, then hides the current address of the server in encrypted comments left on Britney Spears’s image posts. The compromised systems check in with Spears’s Instagram whenever they need to know where the C&C server is currently residing.

The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to know where the C&C server is currently residing.

The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:

(?:\\u200d(?:#|@)(\\w)

Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:

http://bit.ly/2kdhuHX

Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner,’ normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:

smith2155#2hot make loveid to her, uupss #Hot #X

When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php, which was used in the past as a watering hole C&C by the Turla crew.

Source: Boing Boing