Malware researchers at security firm ESET have spotted a new piece of malware used by Turla APT in cyber attacks. The malicious code leverages comments posted to Instagram to obtain the address of its command and control (C&C) servers.
Turla APT is considered a group of hackers linked to the Russian Government, it is also known as Waterbug, KRYPTON and Venomous Bear.
The APT have been active since at least 2007, it was involved in several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.
Last time experts analyzed the threat actor was March 2017 when ESET firm reported that it was continuing to improve its Carbon backdoor, the malware researchers detected new versions released on a regular basis. The group is still active and it is developing new hacking tools and empowering the existing ones.
At the annual Kaspersky Lab conference, researcher Thomas Rid along security experts Costin Raiu and Juan Andres Guerrero-Saade presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Russian APT group.
Turla APT recently targeted the websites of ministries, embassies and other organizations worldwide, in its last campaign hackers leverage social media to control their malware.
In one case, hackers used a Firefox extension that worked as a backdoor, something similar was spotted by malware researchers at Bitdefender while analyzing the Pacifier Operation.
The Firefox extension used in this last campaign was spread through the website of a Swiss security company’s website. The backdoor gathers information on the infected system, and it allows attackers to perform ordinary spyware actions.
The peculiarity of the backdoor is the way it obtains the address of its C&C server, it looks at a specific comment posted to a photo on Britney Spears’ Instagram account.
The comment reads
“#2hot make loved to her, uupss #Hot #X,”
Parsing the comment with a regular expression it is possible to obtain a bit.ly URL that represents the backdoor’s C&C server.
The extension determines the comment to parse by computing a custom hash value that must match 183.
“The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)” continues the analysis.
Parsing the comment through the regex experts got the following bit.ly URL:
“Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X
When resolving this shortened link, it leads to static[.]travelclothes.org/dolR_1ert.php , which was used in the past as a watering hole C&C by the Turla crew.” states ESET.
Experts noticed that this above bit.ly URL was only accessed 17 times, which could indicate that hackers were testing the technique.
Researchers also highlighted that some of the APIs used by the malicious extension will no longer work in future Firefox releases, for this reason, upcoming versions of the backdoor will have to be implemented differently.
(Security Affairs – Turla APT group, cyber espionage)