Turla, a Russian speaking group, who has targeted government around the world for years, are using a clever method in their malware. The attackers infect the victim's machine with a malicious Firefox extension but that is not special about this attack.The malware gets the information to establish connection to the Hacker's server from Britney spears' instagram account, according to the ESET blog post.
One of the comment posted by username goes by 'asmith2155' in Britney Spears' account reads "#2hot make loved to her, uupss #Hot #X." - This comment may look innocuous but it is not.
The malware uses a regular expression technique to get bit.ly link from the comment. It will use link to communicate with the attacker's server and get instructions what to do next.
"We noticed that this extension was distributed through a compromised Swiss security company website. Unsuspecting visitors to this website were asked to install this malicious extension. The extension is a simple backdoor, but with an interesting way of fetching its C&C domain." ESET report reads.
This is not the first time a backdoor disguised as a Firefox addon. In the summer of 2016, researchers from the company Bitdefender presented a detailed account of the activities of the Pacifier APT, that used exactly this methods and attacked the Romanian government institutions.
"The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes." Researchers said. "..it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it."
- Christina