The social media giants like Instagram, which is on its way to hitting a billion users this years, surely have a number of harmless comments posted each day. But, will be there some occasional moments when some clever hacker posts some comments that instructing a malware how to get in touch with its controllers or servers?! A latest report says a Big yes! The Slovakian security company ESET said on Tuesday that a Russian espionage hacker group called, Turla has created such cleverly hidden comment. The interesting thing is that it was on the popular American singer Britney spears.
Instagram comments on the American singer just got used to store the location of a C&C server (command & control server) of the ‘Turla’ hackers. The shocking operation was made by using a Mozilla firefox extension, in which a hidden backdoor in it. The team said it is one of the tool owned by the group, which is believed to be funded by the Russian government.
Off course, The singer might not be aware of that one of the comments on her photo were doing something weird that it could pave a path to establish a communication between the hackers and the malware they created.
What Just Happened?!
The infamous Hacker group ‘Turla’ created a backdoor pretending to be a firefox extension and made the users to trickly download it. The Turla group’s method of attack is through a malicious site that forcibly makes the users to downloads files and allowing to execute the malicious codes in it, which is known as ‘Drive-By download method’. This drive-by download method is commonly used by exploit kits, malvertising campaigns and espionage groups.
An account from the attacking group posted a random( spam look alike) comment on Britney’s Instagram post. There was a trackable hash that contained a string of characters hidden in that comment .
The comment is given below.
“#2hot make loved to her, uupss #Hot #X,” user asmith2155 wrote.
The comment, now deleted (account also deleted), was actually a web address that required a fairly complicated, multi-step process to decipher. When decrypts, it will become ‘2kdhuHX’. The URL of the C&C server was resolved through a Bit.ly short URL. So the string combined with bit.ly link and made itself a URL link that would in turn connect with its command-and-control (C&C) server. Strange but unbelievable right?!
In this case, the malware went through all of the comments on Spears’ Instagram photo and computed a number, or a “hash,” for each one, while it looked for a specific hash. When it found the comment with the right hash, it would check it out for particular characters, grab the letters that came after those characters and turn them it into a link. That link would then let the malware connect to its controllers.
Through the ESET team’s Explanation,
“Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155< 200d >#2hot ma< 200d >ke lovei< 200d >d to < 200d >her, < 200d >uupss < 200d >#Hot < 200d >#X
When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php , which was used in the past as a watering hole C&C by the Turla crew.”
Why This Method?
Hiding this sensitive information out in the open isn’t just a funny trick, but would have several uses. Since this information isn’t included into the malware itself, researchers have to go and find out the information themselves in the wild, assuming it is still comments there to be found. But more importantly, it means the malware’s controllers can change the secret destination without touching the malware itself. All they would have to do is delete the original comment and create a new one with the same hash and a new encoded URL. Instead of giving the malware a specific key to a specific lock, hackers told the malware how to find places where keys would be hidden, leaving them free to change either lock or key.
Its on a post of a popular celebrity, right. but, the main part is it demonstrates us the extend to which the cyber space could be spied. If the attackers could this through the instagram, what types of methods/spies might be happening in facebook, twitter etc?!