Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can attackers turn Instagram into C&C infrastructure?

An Instagram application can be turned into C&C infrastructure with the help of image steganography malware attacks. Expert Nick Lewis explains how this works.

Researchers at cybersecurity firm Endgame have developed a proof-of-concept attack called Instegogram, where image...

steganography is used to create stealth malware command-and-control channels on a user's Instagram application. How can attackers execute this attack, and what options are available for security teams to detect these kinds of steganography attacks?

One of the most difficult aspects of controlling a botnet is the command-and-control infrastructure (C&C). Bot masters want to be able to reliably control their botnet, and that requires check-ins with the C&C.

Malware typically has one or more ways to contact the C&C infrastructure embedded in it. It also has functionality to transition to communicating with other nodes in the C&C, minimizing the chance of the initial C&C node being detected.

Malware authors have tried to hide their C&C infrastructure by using custom protocols, domain name generating algorithms, peer-to-peer connections, scans of the internet, encrypted connections and many other methods. In some cases, leveraging free cloud or social media services as C&C infrastructure has helped attackers disguise malicious communications as legitimate traffic.

The Endgame researchers' Instegogram proof-of-concept attack used image steganography to encode data in images on Instagram for the C&C. This allowed the researchers to create a C&C infrastructure from an application that would be commonly allowed on enterprise and mobile networks. The proof-of-concept malware downloaded the images from Instagram and extracted the data for the C&C.

Endgame made several recommendations to Instagram, as well as other social networks, to prevent their services from being used as C&C infrastructures, such as compressing or making changes to the images without changing the quality of the images in order to prevent C&C data being encoded in the image. Endgame's recommendations for enterprises include focusing on detecting outliers in network behavior, such as multiple new devices using Instagram or multiple new devices using the same account. 

Next Steps

Learn about the ways attackers use steganography to hide malware

Find out how an Android Trojan recruits Twitter accounts as C&C servers

Discover how the Necurs botnet spreads Locky ransomware

This was last published in March 2017

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise monitor for attacks that turn mobile applications into C&C servers?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close