Turla (Malware) Uses Instagram in Latest offensive Wave
Turla has been targeting authorities, government officials and diplomats for years, according to an analysis by ESET, and have been using watering hole techniques to redirect potentially interesting sufferer to their C&C infrastructure since at least 2014. Lately, Turla has recently been keen on targeting those visiting embassy sites, with nearly all websites which may have recently been used to redirect site visitors to malicious watering gaps directly related to embassies throughout the world.
“The websites’ visitors will be redirected to a harmful server, ” ESET experts said, in an evaluation. “It will also try to install an ever cookie, or so-called supercookies, that will track the user throughout his surfing, across all websites.
Turla also is increasing a spearphishing campaign with a malicious Microsoft Word document sent to several institutions worldwide. These harmful documents drop the navigator first-stage backdoor. It also drops a fix of a Firefox extension, allocated through a compromised Deluxe security company website, which also turns out to be a simple backdoor. This component gathers information on the device it is running on, can publish or download files from the system, and completes arbitrary code.
The truly uncommon aspect of the assault is this, The file format obtains its path to the C&C by using comments posted on a certain Instagram post. The one which ESET used in the analyzed sample was a comment about an image published to the Britney Asparagus spears official Instagram account.
“The fact that the Turla actors are using social media as a way to obtain its C&C servers is worth it to read. This habit has already been noticed in the past by other threat crews including the Dukes. Attackers using social media to improve a C&C address are responsible for life harder for defenders.
Firstly, it is difficult to distinguish harmful visitors social media from legitimate traffic. Secondly, it gives the attackers more overall flexibility when considering to changing the C&C address as well as erasing all traces from it. ”