Biz & IT —

You’ll never guess where Russian spies are hiding their control servers

Turla uses social media and clever programming techniques to cover its tracks.

You’ll never guess where Russian spies are hiding their control servers

A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest.

According to a report published Tuesday by researchers from antivirus provider Eset, a recently discovered backdoor Trojan used comments posted to Britney Spears's official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers. The innovation—by a so-called advanced persistent threat group known as Turla—makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.

Turla is a Russian-speaking hacking group known for its cutting-edge espionage malware. In mid-2014, researchers from Symantec documented malware dubbed Wipbot that infiltrated the Windows-based systems of embassies and governments of multiple European countries, many of them former Eastern Bloc nations. A few months later, researchers at Kaspersky Lab discovered an extremely stealthy Linux backdoor that was used in the same campaign, a finding that showed it was much broader than previously believed. Turla has also been known to use satellite-based Internet connections to cover its tracks. In March, researchers observed Turla using what was then a zero-day vulnerability in Window to infiltrate European government and military computers.

In Tuesday's report, Eset said researchers discovered a Firefox browser extension that masqueraded as a security feature. Behind the scenes, it provided the means for outside parties to seize complete control of an infected computer. To remain stealthy, the extension used programming tricks—including regular expressions and the calculation of cryptographic hashes—to find the control server where the data was to be sent.

Eset researchers explained:

The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account.

© https://www.instagram.com/p/BO8gU41A45g/

The extension will look at each photo's comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:

(?:\\u200d(?:#|@)(\\w)

Looking at the photo's comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:

http://bit.ly/2kdhuHX

Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called 'Zero Width Joiner,' normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:

smith2155#2hot make loveid to her, uupss #Hot #X

When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php, which was used in the past as a watering hole C&C by the Turla crew.

Data provided by bit.ly showed the URL received 17 visits in February, around the time the comment was posted. Eset researchers took the low number as a sign the malware may still be in testing, although another possibility is that it was used in an active campaign on highly targeted individuals.

The Firefox extension was spread through the website of an unnamed security company located in Switzerland. Eset researchers speculate the extension is an update to one that was spread in an earlier campaign that was dubbed Pacifier by security firm Bitdefender.

That backdoor in the most recent extension included the following capabilities:

  • execute arbitrary file
  • upload file to C&C
  • download file from C&C
  • read directory content – send a file listing, along with sizes and dates, to C&C

Eset researchers noted that Firefox developers are in the process of rearchitecting the browser in a way that will no longer allow the Turla extension to work. The researchers said the next version of the extension—if there is one—will likely look much different to account for those changes.

Channel Ars Technica