The Turla threat actor group is using comments posted on Instagram to obtain command and control (C&C) servers for its watering hole campaigns. For years, Turla has been targeting government officials and diplomats with watering hole techniques. Such attacks involve compromising websites its targets are likely to visit and redirecting them to its C&C infrastructure. In these ongoing campaigns, the threat actor group is appending snippets of code to the original pages of embassy websites. The threat actor, which is linked to malware like ComRAT and potentially Kazuar, is intent on shielding its appended scripts from discovery. That's why it's cloaking them with a unique disguise. Jean-Ian Boutin, a senior malware researcher at ESET, elaborates in a blog post:
"The attackers added a reference to Clicky, a real time web analytics framework. They are adding this framework name in an attempt to legitimize the appended script to cursory, or non-expert, examination, although it is not actually used in the attack. We can see here that this injected script calls another script at mentalhealthcheck.net/update/counter.js. This is a server the Turla gang has been using to push fingerprinting scripts – scripts that will gather information about the system it is running on – to interesting victims."
From there, Turla uses IP filtering to identify interesting targets onto whom it can pass its fingerprinting JavaScript. If a visitor falls in the targeted range, they receive the script that loads a JS library capable of collecting system information and a super cookie that can track their activity across the web. If not, they get a JS implementation of the MD5 hashing algorithm. Once the initial compromise is over, the threat actor moves onto installing a backdoor on the victim's machine. One campaign accomplished this subsequent action by tricking unsuspecting users into downloading a Firefox extension through a a compromised Swiss security company website. The extension is a simple backdoor that's capable of interacting with its C&C to download and upload files, execute arbitrary files, and read directory content. What makes the extension interesting, however, is the process by which it obtains its C&C server. As Boutin explains:
"The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account."
One of the Instagram posts used by Turla's Firefox extension to obtain its C&C server. The pointer comment is bordered in red. (Source: ESET) The extension looks at each comment and computes its hash value. If that value equals 183, it runs its regular expression on the comment to obtain the bit.ly URL of its C&C server. Using social media to obtain its C&C servers makes it more difficult for defenders. On the one hand, it's difficult to differentiate malicious from regular traffic on sites like Instagram. On the other, using Instagram posts makes switching C&C servers a piece of cake. With these tactics in mind, users should protect themselves by installing an anti-virus solution on their computers, not installing suspicious extensions on their machines, and configuring their browsers to alert them when a web page attempts to redirect them to another site. Enterprises should also use advanced threat protection capabilities like behavioral analysis to monitor for malicious third-party traffic.
