Turla’s Russian “hackers” use comments under the photos of Britney Spears on Instagram to manage malware.
On June 6, researchers from ESET told us that they had discovered a new malicious program created by the famous Russian-speaking hacker group Turla. According to experts, the Trojan found uses comments on the singer Britney Spears’s instagram to hide its activity and transmit the stolen data.
The malicious program is contained in an extension for the Firefox browser called HTML5 Encoding, which was disguised as an application for safe work on the Internet. Hackers from Turla hacked the website of a Swiss security company and suggested that users install an application with a trojan.
According to researchers from ESET, the hacking tool itself is “simple”: installing an extension creates a backdoor, which gives attackers full access to the device they need. Experts have suggested that hackers adapted malware distributedthrough Microsoft Word documents in 2016.
Despite the “simplicity”, Turla used a non-standard way of communicating with command and control servers (C & C servers), from which instructions are given to infected computers. They also act as a repository of stolen information. However, the researchers did not find the server addresses in the HTML5 Encoding extension code. Later it turned out that the malware found it in encrypted messages on Instagram.
One of them was placed under the photograph of the singer Britney Spears. The extension was looking for a comment in which the link to the desired server was encrypted. So hackers planned to cover their tracks in case of detection of a malicious program.
According to ESET, disguised reference appeared seemingly ordinary Comment « # 2Hot the make loved to her, uups #Hot #X » by one of the users.
Researchers noted that from February 2017, the link was transferred only 17 times. This may mean that hackers only tested a new way to hide server data.
According to ESET employees, the use of social networks as a disguise for malware can greatly complicate the work of companies specializing in cybersecurity. If hackers from Turla take the Trojan out of the “test mode”, then their attacks will be much harder to track down.
First, in social networks it is difficult to distinguish malicious traffic from legitimate traffic. Secondly, it gives hackers greater flexibility in matters relating to the need to change server addresses or destroy all traces.
ESET contacted Firefox developers and told them about the vulnerability. According to the researchers, they are now working together on updating the browser, after which such extensions will not pose a threat.
Turla media groupings are often called “Kremlin hackers.” According to Western publications, hackers are actively supported by the Russian government, and their backbone consists of “Russian-speaking”. In September 2015, Kaspersky Lab announced that Turla hides the location of its servers using satellites.
For a long time it was believed that the group began its activities in 2007. However, later, Kaspersky Lab called Turla “followers of the case” burglars from the 90s – Moonlight Maze, responsible for one of the first cyber espionage operations. The researchers were able to connect the two groups using an old computer that was hacked in 1996 in the same way Turla used in 2011.