{"id":180260,"date":"2017-06-11T18:55:00","date_gmt":"2017-06-11T23:55:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2017\/06\/11\/not-the-onion-or-duffelblog\/"},"modified":"2017-06-11T18:55:00","modified_gmt":"2017-06-11T23:55:00","slug":"not-the-onion-or-duffelblog","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2017\/06\/11\/not-the-onion-or-duffelblog\/","title":{"rendered":"Not The Onion or Duffelblog"},"content":{"rendered":"<div>It appears that there some Russian malware out in the wild that <a href=\"https:\/\/arstechnica.com\/security\/2017\/06\/russian-hackers-turn-to-britney-spears-for-help-concealing-espionage-malware\/\">uses the comments in Britney Spears&#8217;s Instagram account to update its botnet<\/a>:<\/div>\n<blockquote><p><span style=\"color: blue;\">A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest. <\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">According to a <a href=\"https:\/\/www.welivesecurity.com\/2017\/06\/06\/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram\/\">report published Tuesday<\/a> by researchers from antivirus provider Eset, a recently discovered backdoor Trojan <b><span style=\"font-size: 100%; font-variant: small-caps;\">used comments posted to Britney Spears&#8217;s official Instagram account to locate the control server<\/span><\/b> that sends instructions and offloads stolen data to and from infected computers. The innovation\u2014by a so-called advanced persistent threat group known as Turla\u2014makes the malware harder to detect because attacker-controlled servers are never directly referenced in either the malware or in the comment it accesses.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">\u2026\u2026\u2026<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">Eset researchers explained:<\/span><\/p>\n<blockquote><p><span style=\"color: blue;\">The extension uses a bit.ly URL to reach its C&amp;C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account.<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">\u2026\u2026\u2026<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">The extension will look at each photo&#8217;s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">(?:\\u200d(?:#|@)(\\w)<\/span><br \/><span style=\"color: blue;\"><br \/><\/span><span style=\"color: blue;\">Looking at the photo&#8217;s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:<\/span><\/p><\/blockquote>\n<\/blockquote>\n<p>(<i>emphasis mine<\/i>)<\/p>\n<p>One has to admire the ingenuity shown here.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It appears that there some Russian malware out in the wild that uses the comments in Britney Spears&#8217;s Instagram account to update its botnet: A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[395,435,367,382],"class_list":["post-180260","post","type-post","status-publish","format-standard","hentry","tag-computer","tag-crimes","tag-internet","tag-technology"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/180260"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=180260"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/180260\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=180260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=180260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=180260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}