Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
Pretty crazy.
The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL: (?:\\u200d(?:#|@)(\\w) Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL: bit.ly/2kdhuHX Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL
(tags: security malware russia turla zwj unicode characters social-media instagram command-and-control)
-
decent enough tool builtin to OSX