It seems that the attackers were just testing it out

Jun 8, 2017 18:51 GMT  ·  By

Security researchers discovered what appeared to be a harmless comment left on an Instagram picture posted by Britney Spears and which, in fact, instructed Russian malware how to get in touch with its controllers. 

According to ESET Security, among the 7,000 comments written to Spears' photo there was a hidden message that was more than met the eye. The malware was actually hidden in a Firefox browser extension that was posing as a security feature. Instead, the extension would search for hidden links through the Instagram post in order to know how to connect back to the control server.

The comment has since been deleted, but it was actually a web address that was quite complicated to decipher.

The malware was programmed to go through all the comments on the Instagram photo and compute a hash, or a number, for each of them, while looking for a specific hash. When it found the comment with the right hash, it would check for particular characters, grab those letters that came after those characters and turn them into a bit.ly link. That link would then allow the malware to connect to its C&C server.

Who's pulling the strings?

The group behind this particular scheme is Turla, a Russian infamous cyber espionage group known for targeting governments, high officials, and diplomats.

ESET specialists believe that this was just a test to see if the scheme would work since there were only a few clicks on the link.

"The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders," ESET researchers write.

"Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult."