Turla Espionage Group, infamous for targeting governments, their officials and diplomats since at least 2007, has added a new campaign to its arsenal. According to ESET, the latest watering hole tactic includes updated Firefox Extension abusing the popular social network – Instagram. As usual, Turla’s watering hole attacks compromise websites that are likely to be visited by their targets of interest in order to redirect them to their Command and Control (C&C) infrastructure. When monitoring recent campaigns, ESET reserachers spotted a previously documented Firefox extension dropped. Unlike the previous version, the extension uses a bit.ly URL to reach its C&C. However, the URL path is nowhere to be found in the Firefox extensions, but instead obtained by using comments posted on a specific Instagram post. An analyzed example was a post made on Britney Spears Instagram account. To obtain the bit.ly URL, the extension screens each photo’s comments, for each comment it computes it has a custom hash value. If the hash value matches the number, it will then run the regular expression on the comment in order to obtain the URL path. “The fact that Turla is using social media to recover C&C addresses is making life harder for cybersecurity vendors as the tactic makes it difficult to distinguish malicious traffic from legitimate traffic to social media,” explains Jean-Ian Boutin, Senior Malware Reseracher at ESET. “As the information needed to obtain the command and control URL is simply a comment on social media, the attacker has the possibility to easily modify it or completely erase it.”To avoid being drawn into such watering hole campaign, ESET reserachers recommend as a good practice - keeping browsers and browsers’ plugins up-to-date. Another principle worth adopting is to avoid downloading and installing any extensions/add-ons coming from illegitimate sources. Luckily, modern cybersecurity solutions are able to detect suspicious looking websites and warn users, so it is always good to have one active and up to date.To read the entire analysis on Turla’s new watering hole campaign: Turla’s watering hole campaign: Updated Firefox Extension abusing Instagram, please visit WeLiveSecurity.com.
About ESET
Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 200 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia). ESET Middle East has its regional office in Dubai Internet City and manages an extensive partner network in 11 countries: United Arab Emirates, Saudi Arabia, Kuwait, Qatar, Oman, Bahrain, Yemen, Lebanon, Jordan Egypt and Libya. More information is available via www.eset.com/me