Britney Spears
Britney Spears

Russian hackers are singing a new tune. They have hidden the location of their command and control servers in comments left on pop star Britney Spears' Instagram posts.

The Turla espionage group, which over the years has targeted various governments, used social media to hide malware once it infected networks.

Turla has a history of finding clever ways to hide its command and control servers. In 2015, Kaspersky Lab identified a method the APT group had been using to hide its C&C network for eight years.

According to an Eset blog post, a recently discovered backdoor Trojan used comments on the “Baby one more time” singer's posts to find the control server that sends and receives data from infected computers.

The advanced persistent threat (APT) group Turla made the malware harder to find as the servers are not directly referenced in either the malware or the comments it accesses.

The comments included hashtags necessary for the malware to resolve the URL of the C&C server.  The malware is concealed in a Firefox extension masquerading as a security feature.

The extension has been distributed through a compromised Swiss security company website. Unsuspecting visitors to this website were asked to install this malicious extension. The extension is a simple backdoor, but with an interesting way of fetching its C&C domain, said researchers.

“The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analysed sample was a comment about a photo posted to the Britney Spears official Instagram account,” said the researchers.

The researchers said that the extension will look at each photo's comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment to obtain the path of the bit.ly URL: (?:\\u200d(?:#|@)(\\w)

In comments on the photo, only one had the hash that matched 183. This comment was posted on February 6, while the original photo was posted in early January. Researchers then ran this through a regex to get the URL http://bit.ly/2kdhuHX

“Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called 'Zero Width Joiner,' normally used to separate emojis,” said the researchers.

When resolving the link, it led to a website used in the past as a watering hole C&C by the Turla crew.

Data from bit.ly showed the URL had 17 visits in February. Researchers said the low number meant that the malware was still in testing. Another explanation was that the malware was used in a highly targeted campaign against certain individuals.

Eset said the extension had several features enabling the Turla gang to read a directory's content, download and upload files from and to the C&C server and execute files on the infected system.

Researchers said that hackers using social media to recover a C&C address are making life harder for defenders. 

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult,” said the researchers.

Luckily, this attack vector gets shut off as several APIs that are used by the extension will disappear in future versions of Firefox.