Turla Hackers Turn To Instagram For Latest Cyberattack

Russian hackers believed to be behind the Turla trojan package have started using social media site Instagram as a means of staying hidden once they have infected a target network.

The group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and has recently adopted this new method to further its criminal endeavours.

According to researchers at ESET, Turla is using Instagram to establish a connection between the network and its Command & Control (C&C) server.

The hackers are leveraging a Firefox extension which portrays itself as a security feature but contains a JavaScript backdoor, enabling third-parties to take control of an infected computer once it has been downloaded by the unsuspecting user.

The extension uses a bit.ly URL to reach its C&C, but the really clever part is that the URL path can’t be found in the actual code. Instead, it uses comments posted on a specific Instagram post to generate a custom hash value, which creates the path to the C&C infrastructure.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” write the researchers. “This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.

“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”

The comment in question was posted to a photo on Britney Spears’ official Instagram account, although the bit.ly link was only clicked 17 times, which ESET suggests could mean it was just a test run.

The researchers also said that several of the APIs used by the extension will not be present in future versions of Firefox.

Think you know all about security in 2017? Try our quiz!