Skip to main content

The Unbelievable Place Where Russian Hackers Hid Their Malware’s Control Center Link


Researchers have linked a Russian hacker group called Turla to a malicious Firefox extension which contacts its C&C server using the social media accounts. It has been known that the malware used the comment on an Instagram post of Britney Spears to
decrypt the hash value for the C&C present in a comment.
The security researchers at Eset have discovered a malicious Firefox extension that can steal data from people computers. What’s surprising is the way it sends the collected information to its C&C server – tied to the Russian hacker group Turla.
The researchers say that they found a previous implementation of the extension while browsing a BitDefender’s Pacifier APT report describing a spearphishing campaign conducted by Turla.
The researchers said that the extension is a Javascript backdoor and has similar functions, but its implementation is different from the one mentioned in the report. The Firefox extension ended up on devices of unsuspecting users via the compromised website of a Swiss security company.

The backdoor component of the innocent looking extension includes the following commands:
  • execute binary file
  • upload file to C&C
  • download from C&C
  • read directory content – send a file listing, along with sizes and dates, to C&C
According to the researchers, the Firefox extension analyzes the comments posted on an Instagram post – this time belonging to Britney Spears – to find the location of the command and control center. Interestingly, the direct address of the C&C is nowhere mentioned in the extension’s code or the comment it searches on a particular Instagram post.
The researchers describe the working of the extension as follows:
The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
http://bit.ly/2kdhuHX
Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X
When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php, which was used in the past as a watering hole C&C by the Turla crew.
The extension was downloaded 17 times in February 2017, around the same time when the comment appeared on the post.
The researchers believe this extension is some test rather than an apparatus for a massive attack. Also, Firefox developers are updating the components and APIs used by the extension to compromise people.
“For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57,” the researchers write in the post.
“From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs.”
This kind of modus operandi isn’t entirely new. In the past, a hacker group called Dukes headed out to social media and shown similar behavior. Researchers said such methods are difficult to trace because it’s hard to differentiate malicious traffic from legitimate on the social media and the attackers have the ease of changing the C&C as per their will and even remove its traces.
“It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult,” the researchers conclude.
Got something to add? drop your thoughts and feedback inside comments below.

Comments

WHAT'S HOT

Fappening 2.0 Continues: Modern Family Actress Sarah Hyland Has Become The Latest Victim Of Notorious Hackers [Private Photos, Video Leaked]

Modern Family actress Sarah Hyland has become the latest victim of notorious hackers. Her private pictures and video have been posted online on infamous website Celeb Jihad. According to media sources, Sarah’s lawyers are planning to take legal action against the websites who choose to publish the leaked material. Meanwhile, the actual powers behind the leak are unknown.

Samsung Overtakes Fitbit In Wearable Sales For First Time

Fitbit has been a top competitor on the global wearable market for a long time, but the South Korea giant Samsung managed to steal the silver crown of the wearable market from Fitbit. According to Strategy Analytics, Samsung gained the

Supermassive Black Holes Found Orbiting Each Other For The First Time

Image Credit: UCR Researchers from Stanford University have identified super-massive binary black holes at the center of Galaxy 0402+379 about 750 billion light years away. The two of the black holes are just 24 light years apart and one of them is orbiting the other. This is the first

Owners Of The Samsung Gear S3 In The United Kingdom Have Finally Received A Software Update That Enables Support For Samsung Pay

Owners of the Samsung Gear S3 in the United Kingdom have finally received a software update that enables support for Samsung Pay. Starting today, users will be able to use the Gear S3 smartwatch to make payments on all contactless