Security firm ESET has discovered a malicious Firefox extension that acts as a backdoor and uses Instagram comments to connect to a command-and-control server. The backdoor is used by the Turla group.
The connection was made using the commentary on a specific Instagram post from Britney Spears. The extension contains code that calculates a custom hash value for each response to the post. If it comes out at 183, regex determines the path of a bit.ly url. The researchers found only one response whose hash had the desired outcome. After applying the regex, this referred to a certain url. It has been used as a c2 server in Turla campaigns in the past, ESET writes. Maybe the extension is a test, because the URL has only been visited 17 times.
The commentary on the post also contains so-called zero width joiners, which are used to connect certain characters. The backdoor itself is relatively simple, the researchers note. This offers the possibility to perform files, uploads and downloads to the c2 server and to read directories. According to ESET, using the Instagram method makes it difficult to classify the traffic with the c2 server as malicious. In addition, it allows attackers to switch c2 servers if necessary.