That Time Britney Spears Was Behind an APT Campaign (No, Not Really)
Turla (once known as Uroburos) is a highly sophisticated advanced persistent threat (APT) campaign that has long since been suspected to have ties to the Russian government, dating back to at least 2008 and likely lasting till the world ends.
This cross-platform malware family has been seen on both Windows and Linux operating systems. It uses a wide variety of crazy tactics and strategies to infiltrate embassies, military bases, and critical infrastructure across Europe and in the Americas.
This week, researchers at ESET made an interesting discovery in the advancement of this trojan’s circus of antics that has now roped in pop idol, Britney Spears.
Once abusing Google Analytics and various other watering hole techniques, the authors of Turla have gone out of their way to implement security methods that have overprotected its ability to exfiltrate data and communicate with its control servers. Not satisfied with traditional methods of establishing back channel communication with its command and control (C2) servers, the authors decided to go with something a little stronger.
Using obscure tactics, not unlike Britney Spear’s current music career choices, the authors looked to Spears’ Instagram account to break the ice and had the APT decode the author’s C2 server address.
Astonishingly, the APT operators developed a custom algorithm that would hash every user comment written on Britney’s photos, and then turn them inside out using a regular expression engine to extract Turla’s C2 URL address. The authors of this malware managed to develop a scheme that filtered over 6500 comments on Britney’s pictures and filtered it down to a single comment:
This seemingly clumsy comment actually contains a highly sophisticated stenographic message padded using the 200d Unicode character. This unprintable character is typically used (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog