Short Beta: Researchers have linked a Russian hacker group called Turla to a malicious Firefox extension which contacts its C&C server using the social media accounts. It has been known that the malware used the comment on an Instagram post of Britney Spears to decrypt the hash value for the C&C present in a comment.
The security researchers at Eset have discovered a malicious Firefox extension that can steal data from people computers. What’s surprising is the way it sends the collected information to its C&C server – tied to the Russian hacker group Turla.
The researchers say that they found a previous implementation of the extension while browsing a BitDefender’s Pacifier APT report describing a spearphishing campaign conducted by Turla.
The backdoor component of the innocent looking extension includes the following commands:
- execute binary file
- upload file to C&C
- download from C&C
- read directory content – send a file listing, along with sizes and dates, to C&C
According to the researchers, the Firefox extension analyzes the comments posted on an Instagram post – this time belonging to Britney Spears – to find the location of the command and control center. Interestingly, the direct address of the C&C is nowhere mentioned in the extension’s code or the comment it searches on a particular Instagram post.
The researchers describe the working of the extension as follows:
The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of theURL:
(?:\\u200d(?:#|@)(\\w)Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the followingURL:
Looking at the photo’s comments, there was only one for which the hash matches 183. This comment was posted on February 6, while the original photo was posted in early January. Taking the comment and running it through the regex, you get the followingURL:
Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of theURL:
smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X
When resolving this shortened link, it leads to, which was used in the past as a watering hole C&C by the Turla crew.
The extension was downloaded 17 times in February 2017, around the same time when the comment appeared on the post.
The researchers believe this extension is some test rather than an apparatus for a massive attack. Also, Firefox developers are updating the components and APIs used by the extension to compromise people.
“For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57,” the researchers write in the post.
“From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs.”
This kind of modus operandi isn’t entirely new. In the past, a hacker group called Dukes headed out to social media and shown similar behavior. Researchers said such methods are difficult to trace because it’s hard to differentiate malicious traffic from legitimate on the social media and the attackers have the ease of changing the C&C as per their will and even remove its traces.
“It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult,” the researchers conclude.
Got something to add? drop your thoughts and feedback.