Turla, a known hacking group believed to be associated with Russian hackers, is using Britney Spears’ Instagram profile as a means to control computers infected with malware in plain sight. This is done by leveraging specially crafted comments containing special strings of characters with bit.ly links.
Although the approach is not new, the purpose of doing this is to use the infected computers to launch attacks against governments and militaries. According to data security researchers at Eset, the group is taking advantage of a recently-discovered backdoor identified in a fake Firefox extension.
The comments made on the profile look harmless when glanced over, but in reality, they allow the malware to learn the location of the roving server without appearing suspicious. For example, a comment could command the malware to look for passwords or deliver ransomware.
The reason why the hacking group has decided against using their own servers to deploy these commands is simple: the command server cannot stay in one place for too long, lest they risk detection.
Further explanation was provided by Eset, revealing that the exact URL to reach its destination server is actually not coded into the extension itself. Rather, the URL is hidden in the photo comments with special strings of characters, which are then converted to custom hash values, revealing a URL address.
According to the researchers, the bit.ly link has only had 17 clicks thus far, which is why they believe this was only a test of sorts. The next version of the extension is likely to be very different.