Leave Britney's Command and Control Server Alone!

Turla's watering hole campaign: An updated Firefox extension abusing Instagram

The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account.

The extension will look at each photo's comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:

(?:\\u200d(?:#|@)(\\w)

Looking at the photo's comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:

http://bit.ly/2kdhuHX

Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called 'Zero Width Joiner', normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:

smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X

Previously, previously, previously.

Tags: , , , ,

3 Responses:

  1. apm74 says:

    Meanwhile Putin's hackers are starting a Persian Gulf war. Get serious, non-Putin's hackers.

  2. Glaurung says:

    So we knew already that Tailor Swift leads a secret life as a computer security expert, and now we learn that Britney Spears secretly writes malware?

    What's next, the Spice Girls are secretly the true authors of bitcoin? The author of Cicada 3301 is actually Madonna? Beyonce is responsible for the hack that gave us the Panama Papers?