In a report released on Tuesday, the Slovak IT group revealed that a malware known as Turla has been receiving instructions via Instagram comments. A seemingly innocuous comment posted on one of Spears’ latest photographs was actually a web address in disguise that required a multi-step process to decipher.
Hidden in a malicious Firefox extension, Turla examined the comment sections on Spears’ Instagram photos, computing a custom number, or ‘hash’ value, for each one. When it located a specific ‘hash’, the malware scanned the associated comment for particular characters and worked out the characters that followed, transforming it into a bit.ly link. It then used this link to connect to its command-and-control (C&C) server, providing it with instructions on how to retrieve stolen data.
The now-deleted comment was posted in February by a user ‘asmith215,’ in what ESET believes was an attempt to test the malware.
“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting,” the report reads. “This behaviour has already been observed in the past by other threat crews… Attackers using social media to recover a C&C address are making life harder for defenders.
“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it.”
The firm has conducted a long-standing investigation into Turla, which is speculated to have ties to the Russian government and has targeted foreign governments, militaries, and educational institutions in the past.