Russian hackers believed to be behind the Turla trojan package have started using social media site Instagram as a means of staying hidden once they have infected a target network.
The group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and has recently adopted this new method to further its criminal endeavours.
According to researchers at ESET, Turla is using Instagram to establish a connection between the network and its Command & Control (C&C) server.
The hackers are leveraging a Firefox extension which portrays itself as a security feature but contains a JavaScript backdoor, enabling third-parties to take control of an infected computer once it has been downloaded by the unsuspecting user.
The extension uses a bit.ly URL to reach its C&C, but the really clever part is that the URL path can’t be found in the actual code. Instead, it uses comments posted on a specific Instagram post to generate a custom hash value, which creates the path to the C&C infrastructure.
“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” write the researchers. “This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.
“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”
What is your biggest cybersecurity concern?
The comment in question was posted to a photo on Britney Spears’ official Instagram account, although the bit.ly link was only clicked 17 times, which ESET suggests could mean it was just a test run.
The researchers also said that several of the APIs used by the extension will not be present in future versions of Firefox.
Think you know all about security in 2017? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…