Turla Uses Instagram in Latest Campaign Wave

Turla Uses Instagram in Latest Campaign Wave

The APT group known as Turla is abusing Instagram to feed its watering hole campaigns.

Turla has been targeting governments, government officials and diplomats for years, according to an analysis by ESET, and have been using watering hole techniques to redirect potentially interesting victims to their C&C infrastructure since at least 2014. Lately, Turla has been keen on targeting those visiting embassy sites, with the majority of websites that have been used to redirect visitors to malicous watering holes directly related to embassies throughout the world.

“The websites’ visitors will be redirected to a malicious server,” ESET researchers said, in an analysis. “It will also try to install an evercookie, or so-called super cookie, that will track the user throughout his browsing, across all sites on the internet.”

Turla also is mounting a spearphishing campaign with a malicious Microsoft Word document sent to several institutions worldwide. These malicious documents drop the Skipper first-stage backdoor. It also drops an update of a Firefox extension, distributed through a compromised Swiss security company website, which also turns out to be a simple backdoor. This component gathers information on the system it is running on, can upload or download files from the system, and executes arbitrary code.

The really unusual aspect of the attack is this: The extension obtains its path to the C&C by using comments posted on a specific Instagram post. The one that ESET used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders. Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it.”

Source: Information Security Magazine