Categories: Security

Turla Hackers Turn To Instagram For Latest Cyberattack

Russian hackers believed to be behind the Turla trojan package have started using social media site Instagram as a means of staying hidden once they have infected a target network.

The group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and has recently adopted this new method to further its criminal endeavours.

According to researchers at ESET, Turla is using Instagram to establish a connection between the network and its Command & Control (C&C) server.

The hackers are leveraging a Firefox extension which portrays itself as a security feature but contains a JavaScript backdoor, enabling third-parties to take control of an infected computer once it has been downloaded by the unsuspecting user.

The extension uses a bit.ly URL to reach its C&C, but the really clever part is that the URL path can’t be found in the actual code. Instead, it uses comments posted on a specific Instagram post to generate a custom hash value, which creates the path to the C&C infrastructure.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” write the researchers. “This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ...

The comment in question was posted to a photo on Britney Spears’ official Instagram account, although the bit.ly link was only clicked 17 times, which ESET suggests could mean it was just a test run.

The researchers also said that several of the APIs used by the extension will not be present in future versions of Firefox.

Think you know all about security in 2017? Try our quiz!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago