Russian hacker group used Britney Spears' Instagram to hide their control servers

Want to hide your command and control server? Just post it on Instagram

Yes, you read that title right. As reported by Ars Technica, the Russian hack group Turla has found a unique way to keep the URL of their command and control server secret: by posting it on Britney Spears's Instagram. The command and control server is what malware typically communicates with to receive instructions and where it offloads stolen data from the victim

.

On the surface, creating a C&C server seems simple but it's actually a difficult problem for malware makers to solve.

The malware needs to know what server to communicate with but simply coding that in doesn't make for very good malware. Security analysts can simply go through the source code, find the URL, and issue a patch that blocks traffic to that server. This is similar to what helped bring down the WannaCry ransomware attack.

To ensure the malware knows who to talk to without anyone else knowing, Turla implemented a simple yet brilliant approach to locating the control server. The group deliberately placed comments on certain Instagram posts that could be referenced by the malware. The software would then scan and hash each comment until it found one that returned a certain value (183 in this case). Then by simply running an mathematical expression on the characters of the comment, the C&C URL was able to be obtained.

Since the server is never directly referenced in the comment or the source code, the malware was very hard to detect. The actual comment in question was "#2hot make loveid to her, uupss #Hot #X" and contained several non-printable Unicode characters to help create the URL.