Categories: Security

Turla Hackers Turn To Instagram For Latest Cyberattack

Russian hackers believed to be behind the Turla trojan package have started using social media site Instagram as a means of staying hidden once they have infected a target network.

The group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and has recently adopted this new method to further its criminal endeavours.

According to researchers at ESET, Turla is using Instagram to establish a connection between the network and its Command & Control (C&C) server.

The hackers are leveraging a Firefox extension which portrays itself as a security feature but contains a JavaScript backdoor, enabling third-parties to take control of an infected computer once it has been downloaded by the unsuspecting user.

The extension uses a bit.ly URL to reach its C&C, but the really clever part is that the URL path can’t be found in the actual code. Instead, it uses comments posted on a specific Instagram post to generate a custom hash value, which creates the path to the C&C infrastructure.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” write the researchers. “This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ...

The comment in question was posted to a photo on Britney Spears’ official Instagram account, although the bit.ly link was only clicked 17 times, which ESET suggests could mean it was just a test run.

The researchers also said that several of the APIs used by the extension will not be present in future versions of Firefox.

Think you know all about security in 2017? Try our quiz!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago