Skip to main content

The Unbelievable Place Where Russian Hackers Hid Their Malware’s Control Center Link


Researchers have linked a Russian hacker group called Turla to a malicious Firefox extension which contacts its C&C server using the social media accounts. It has been known that the malware used the comment on an Instagram post of Britney Spears to
decrypt the hash value for the C&C present in a comment.
The security researchers at Eset have discovered a malicious Firefox extension that can steal data from people computers. What’s surprising is the way it sends the collected information to its C&C server – tied to the Russian hacker group Turla.
The researchers say that they found a previous implementation of the extension while browsing a BitDefender’s Pacifier APT report describing a spearphishing campaign conducted by Turla.
The researchers said that the extension is a Javascript backdoor and has similar functions, but its implementation is different from the one mentioned in the report. The Firefox extension ended up on devices of unsuspecting users via the compromised website of a Swiss security company.

The backdoor component of the innocent looking extension includes the following commands:
  • execute binary file
  • upload file to C&C
  • download from C&C
  • read directory content – send a file listing, along with sizes and dates, to C&C
According to the researchers, the Firefox extension analyzes the comments posted on an Instagram post – this time belonging to Britney Spears – to find the location of the command and control center. Interestingly, the direct address of the C&C is nowhere mentioned in the extension’s code or the comment it searches on a particular Instagram post.
The researchers describe the working of the extension as follows:
The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:
(?:\\u200d(?:#|@)(\\w)Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the following bit.ly URL:
http://bit.ly/2kdhuHX
Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:
smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X
When resolving this shortened link, it leads to static.travelclothes.org/dolR_1ert.php, which was used in the past as a watering hole C&C by the Turla crew.
The extension was downloaded 17 times in February 2017, around the same time when the comment appeared on the post.
The researchers believe this extension is some test rather than an apparatus for a massive attack. Also, Firefox developers are updating the components and APIs used by the extension to compromise people.
“For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57,” the researchers write in the post.
“From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs.”
This kind of modus operandi isn’t entirely new. In the past, a hacker group called Dukes headed out to social media and shown similar behavior. Researchers said such methods are difficult to trace because it’s hard to differentiate malicious traffic from legitimate on the social media and the attackers have the ease of changing the C&C as per their will and even remove its traces.
“It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult,” the researchers conclude.
Got something to add? drop your thoughts and feedback inside comments below.

Comments

WHAT'S HOT

Amazon Cuts Huawei Watch 2 Price To $194.99

Huawei's latest smartwatch has received a temporary price cut in the United States. There is no word on how long the promotion will last, but those interested

This Medical Camera Can See Right Through Human Body

Now, a team at the University of Edinburgh has developed a medical camera that can see right through your body. This new camera works by detecting light sources inside the body, such as

Google Search About To Receive A New “Speed Test Tool”, Here Is How To Use It

I use the Speed Test tool by Ookla to check the speed of my broadband connection. Generally, I use Google Search to visit the website. But the last time when I Googled the term “speed test,” I didn’t have to go much further than the search result itself.

Microsoft Has Released The First Windows 10 Build 16353 For Insiders

As Fall Creators Update is nearing its release, Skip Ahead was announced last month. It enables fast ring users to continue receiving new features, though the RS_PRERELEASE