Categories: Security

Turla Hackers Turn To Instagram For Latest Cyberattack

Russian hackers believed to be behind the Turla trojan package have started using social media site Instagram as a means of staying hidden once they have infected a target network.

The group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and has recently adopted this new method to further its criminal endeavours.

According to researchers at ESET, Turla is using Instagram to establish a connection between the network and its Command & Control (C&C) server.

The hackers are leveraging a Firefox extension which portrays itself as a security feature but contains a JavaScript backdoor, enabling third-parties to take control of an infected computer once it has been downloaded by the unsuspecting user.

The extension uses a bit.ly URL to reach its C&C, but the really clever part is that the URL path can’t be found in the actual code. Instead, it uses comments posted on a specific Instagram post to generate a custom hash value, which creates the path to the C&C infrastructure.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” write the researchers. “This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ...

The comment in question was posted to a photo on Britney Spears’ official Instagram account, although the bit.ly link was only clicked 17 times, which ESET suggests could mean it was just a test run.

The researchers also said that several of the APIs used by the extension will not be present in future versions of Firefox.

Think you know all about security in 2017? Try our quiz!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago