If you are one of the regular users of Instagram, then you need to be very careful. The photo sharing app, currently owned by Facebook is on its way to reach 1 billion users. Numbers that big sure does come with huge traffic. Traffic is where these Russian Hackers are next targeting.
A cyber-espionage group known as Turla — believed to be the cyber-arm of Russian intelligence — has been playing around with a backdoor trojan disguised as a Firefox extension that uses comments on Britney Spears Instagram photos to store the location of its command and control (C&C) server.
The group’s primary mode of operation is via compromised sites that load malicious code that forcibly download and execute malicious files on the user’s computer. This type of attack is known as a drive-by download and is used by exploit kits, malvertising campaigns, and cyber-espionage units.
According to ESET Security researchers, the malware hidden among 7000 comments might look like an ordinary spam, but in this case, the malware went through all of the comments on Spears’ Instagram photo and computed a number, or a “hash,” for each one, while it looked for a specific hash.
When it found the comment with the right hash, it would check it out for particular characters, grab the letters that came after those characters and turn them it into a link. That link would then let the malware connect to its controllers. Such a method allows the controllers to change where it meets up with the malware without having to change the malware itself.
ESET Security concluded in its report, the fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders.
Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.
Image Source: bleepingcomputer