In 2015, the hacking group hijacked unencrypted satellite internet connections belonging to satellite internet providers in the Middle East and Africa to send data via the satellite links, but now Turla has moved onto an even cleverer method. The latest social base used by the hackers is Britney Spear's Instagram account.
Researchers at We Live Security said: "We noticed that this extension was distributed through a compromised Swiss security company website". Visitors to the site would be asked to install the extension with the benign name "HTML5 Encoder". To send a target computers' data, however, the trojan used a very interesting method. Using an encoded coded comment on Britney Spears Instagram post, the malware could find out what URL to use to meet up with the server without actually including that information in the code of the malware itself. The code would then contact the malware's command-and-control servers.
The Russian hackers are using links and codes on Britney's account to control the malware and spread it around.
Using social media to conduct a cyber attack is not only something many social media users wouldn't expect, it also allows the attackers to delete the content associated with the link. "The actual comment in question was "#2hot make loveid to her, uupss #Hot #X" and contained several non-printable Unicode characters to help create the URL.
Arsenal start summer business by signing Sead Kolasinac
According to the Evening Standard , Arsenal want around £15m for Gibbs with Watford, Newcastle, Stoke and Brighton all interested. But he made just eight Premier League starts this season as injury and being behind Nacho Monreal limited his opportunities.
The malware was directed to scroll through the comments on Spears's photos and search for one that had a specific hash value. The software would then scan and hash each comment until it found one that returned a certain value (183 in this case).
ESET Security said they thought this particular post was just a test and linked the malware scheme to a group called Turla, a cyber espionage group that the company says has targeted governments, government officials and diplomats for some time. There are extensions that work in the backdoor and detect parent server through comments on social media.
The malware was being masked as a Firefox browser extension which acted as a security feature.
The embedded comments pose no real threat to everyday users. The practice makes the malware harder to detect since the server is never directly referenced either in the malware or the Instagram comments.
Comments