A backdoor trojan has been lurking in the comment sections of Britney Spears' Instagram posts and the hacking group Turla may be the culprit.
ESET has given details on Turla's 'watering hole' attacks, which targets popular websites to grab as many people as it can.
That backdoor hides inside Firefox extension which was distributed through a Swiss security website that had been compromised. Anyone who visited the website was asked to install the extension, putting together another piece of the puzzle for C&C communications.
In Febuary the malware was spotted lurking in Britney Spears Instagram posts, showing that Turla actors are experimenting with social media as a way to communicate with its C&C servers.
According to ESET, "The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analysed sample was a comment about a photo posted to the Britney Spears official Instagram account".
Behind the scenes, the extension scans photo comments and generates hash values that, if matched to a specific hash, generates the bit.ly url.
Luckily bit.ly URLs have easily accessible tracking information, and ESET says there were only 17 clicks in February. ESET says the low number of clicks possibly indicates a test run of the backdoor.
For those trying to stop malicious attacks through the web, life has become harder because it's difficult to tell what traffic is genuine and what traffic is malicious.
It also gives Turla "more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult."