A Russian-speaking hacking group that is famous for targeting government bodies around the world is now using social media channels to mask the attack. The group is taking advantage of social media apps like Instagram to cover surveillance malware once it corrupts the main system. There are extensions that work in the backdoor and detect parent server through comments on social media. The latest social base used by the hackers is Britney Spear's Instagram account.
A report published by researchers from antivirus provider Eset, revealed the backdoor Trojan that used the comment box of Britney Spears's official Instagram to locate the control server that sends directions and offloads data taken from infected computers. This new technique is used by a threat group known as Turla. By using social media channels, the attackers are masking the actual location and servers, which makes them harder to detect by agencies. The attackers never directly reference the control servers, neither in the malware nor the comment box.
Hackers are using different channels to mask their original servers. The latest trick is to install harmful Firefox plug-ins on systems and then control the path through comment sections on popular social media accounts.
This is not the first time when researchers have discovered backdoors for malware. In 2014, researchers at Kaspersky Lab found an incredibly secretive Linux backdoor that used to transfer data from Windows systems in government offices. The hacking group, Turla has been involved in a variety of malware campaigns, some of which used satellite-based Internet connections to hide their servers.
In their latest report, Eset researchers also mentioned a Firefox browser extension disguised as a security feature. It was used by outsiders to fetch data from infected systems. The extension also used programming tricks to send the data to the parent server. This extension was distributed by an unnamed security company in Switzerland. The malicious extension would compute a custom hash value mentioned in the comment box (as mentioned on Britney Spear's official Instagram account). It looks for the custom hash value 183, and once it matches, the extension runs the path of bit.ly URL.
Researchers reveal how comment box detection works on Britney Spear's Instagram account:
The extension will look at each photo's comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)
Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called 'Zero Width Joiner,' normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155#2hot make loveid to her, uupss #Hot #X
When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php, which was used in the past as a watering hole C&C by the Turla crew.
After knowing about the malicious extension campaign by Turla, Firefox developers are restructuring the browser to disable harmful extensions. In the meantime, we would advise our readers to check their extensions list in Firefox browser and trash the suspicious ones right away.
