- The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\u200d(?:#
Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
Looking a bit more closely at the regular expression, we see it is looking for either @
- # or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X
When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php , which was used in the past as a watering hole C&C by the Turla crew.
Dayyyyyyum. That's clever. Like a numbers station. Post the data completely in the clear, then point a script at it, and it decodes to instructions. This is zygote-level use of social media for this type of C&C obfuscation. Imagine one social media comment that redirects to three others, which all have parts of the final code that needs to be assembled together to decrypt. Now multiply that by 100. Oof. The security gang sure has their work cut out for themselves!