Russian hackers are finding innovative ways to infect people’s computers. Security researchers have uncovered a Russian cyber espionage group known as Turla, that’s using comments on Britney Spears’ Instagram to hide locations for command and control (C&C) servers of one of its Trojans.
Believed to be the cyber arm of Russian intelligence, ESET researchers say Turla is experimenting with a Firefox extension Trojan, just part of a larger arsenal of hacking tools at its disposal.
A Trojan is a malicious computer program that hacks into a computer by pretending to be another software. The name comes from the Trojan horse the Greeks used to infiltrate the city of Troy. The Trojan in question here is a Firefox extension that’s been spotted on compromised websites. When a user visits one of these websites, they’re asked to download the extension, which is misleadingly name HTML5 Encoding. The Trojan then downloads other malicious software, in this case one to create a backdoor in the system, allowing it to report back on the activities of the computer. While this malware isn’t being spread by force, the Trojan has been spotted on numerous websites, including that of a Swiss security company.
ESET researchers realised this particular Firefox extension was downloading a backdoor known as Skipper, one commonly used by other Turla malware. However, aside from previous cyber espionage campaigns carried out by Turla, ESET believes this particular Trojan is just a test.
According to ESET, the malware in question uses a Bit.ly short URL that connects it to its C&C servers. Command and Control servers are what’s used to control malware or botnets, either run directly by the malware’s creators or running on compromised systems. The weird part is that this particular URL directs the Trojan to check the comments on a photo uploaded to Britney Spears’ Instagram and search for a comment with a hash value of 183 (hash values represent large amounts of data as much smaller numeric values). The researchers say that only one of the comments matches that value, and it contained hidden characters used to resolve the C&C domain, thus redirecting the malware so it could receive orders.
This particular Firefox extension is quite intrusive, capable of letting Turla read a directory’s content, download and upload files from and to the C&C server, and execute files on the infected computer; very basic features compares to other backdoors Still, it’s thankfully only been used about 17 times so far.
10 Indian Divas Who Never Got Married
6 Jobs That Probably Won’t Be Around in 10 Years
Skip and Giggle
What Melissa Sue Andersion Looks Like Now is Insane
You Won’t Believe Allen Iverson’s Net Worth
25+ Perfectly Timed Photos That Almost Broke The Internet
There Are 7 Types of Irish Last Names – Which One Is Yours?