Backdoor uses Instagram comments to communicate with server

Security firm ESET has discovered a malicious Firefox extension that acts as a backdoor and uses Instagram comments to connect to a command-and-control server. The backdoor is used by the Turla group.

The company came across the extension while investigating the Turla group, which appears to be of Russian origin and was previously found to be hijacking satellite connections for communicating with c2 servers. In addition, the group uses so-called watering holes, targeting governments and diplomats, according to ESET. The Firefox extension, called ‘html5 encoding 0.3.7’, is a simple JavaScript backdoor, distributed via the hacked website of a Swiss security company.

The connection was made using the commentary on a specific Instagram post from Britney Spears. The extension contains code that calculates a custom hash value for each response to the post. If it comes out at 183, regex determines the path of a url. The researchers found only one response whose hash had the desired outcome. After applying the regex, this referred to a certain url. It has been used as a c2 server in Turla campaigns in the past, ESET writes. Maybe the extension is a test, because the URL has only been visited 17 times.

The commentary on the post also contains so-called zero width joiners, which are used to connect certain characters. The backdoor itself is relatively simple, the researchers note. This offers the possibility to perform files, uploads and downloads to the c2 server and to read directories. According to ESET, using the Instagram method makes it difficult to classify the traffic with the c2 server as malicious. In addition, it allows attackers to switch c2 servers if necessary.