Turla APT malware now retrieves C&C address from Instagram comments
8.6.2017 securityaffairs
APT

A malicious code used by Turla APT in a recent campaign leverages comments posted to Instagram to obtain the address of the command and control servers.
Malware researchers at security firm ESET have spotted a new piece of malware used by Turla APT in cyber attacks. The malicious code leverages comments posted to Instagram to obtain the address of its command and control (C&C) servers.

Turla APT is considered a group of hackers linked to the Russian Government, it is also known as Waterbug, KRYPTON and Venomous Bear.

The APT have been active since at least 2007, it was involved in several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Last time experts analyzed the threat actor was March 2017 when ESET firm reported that it was continuing to improve its Carbon backdoor, the malware researchers detected new versions released on a regular basis. The group is still active and it is developing new hacking tools and empowering the existing ones.

At the annual Kaspersky Lab conference, researcher Thomas Rid along security experts Costin Raiu and Juan Andres Guerrero-Saade presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Russian APT group.

Turla APT recently targeted the websites of ministries, embassies and other organizations worldwide, in its last campaign hackers leverage social media to control their malware.

The APT has powered watering hole attacks compromising websites that are likely to be visited by targets of interest, the cyber spies injected malicious code on the websites in an effort to redirect their visitors to a server that delivered a JavaScript tool designed for track a profile of the victim’s machine.

In one case, hackers used a Firefox extension that worked as a backdoor, something similar was spotted by malware researchers at Bitdefender while analyzing the Pacifier Operation.

“Through our monitoring of these watering hole campaigns, we happened upon a very interesting sample. Some of you may remember the Pacifier APT report by BitDefender describing a spearphishing campaign with a malicious Microsoft Word document sent to several institutions worldwide. These malicious documents would then drop a backdoor. We now know that this report describes Skipper, a first stage backdoor used by the Turla gang.” reads the analysis published by ESET. “That report also contains a description of a Firefox extension dropped by the same type of malicious document. It turns out we have found what most likely is an update of this Firefox extension. It is a JavaScript backdoor, different in terms of implementation to the one described in the Pacifier APT report, but with similar functionalities.”

The Firefox extension used in this last campaign was spread through the website of a Swiss security company’s website. The backdoor gathers information on the infected system, and it allows attackers to perform ordinary spyware actions.

The peculiarity of the backdoor is the way it obtains the address of its C&C server, it looks at a specific comment posted to a photo on Britney Spears’ Instagram account.

The comment reads

“#2hot make loved to her, uupss #Hot #X,”

Turla APT instagram

Parsing the comment with a regular expression it is possible to obtain a bit.ly URL that represents the backdoor’s C&C server.

The extension determines the comment to parse by computing a custom hash value that must match 183.

“The extension will look at each photo’s comment and will compute a custom hash value. If the hash matches 183, it will then run this regular expression on the comment in order to obtain the path of the bit.ly URL:

(?:\\u200d(?:#|@)(\\w)” continues the analysis.

Parsing the comment through the regex experts got the following bit.ly URL:

http://bit[.]ly/2kdhuHX

“Looking a bit more closely at the regular expression, we see it is looking for either @|# or the Unicode character \200d. This character is actually a non-printable character called ‘Zero Width Joiner’, normally used to separate emojis. Pasting the actual comment or looking at its source, you can see that this character precedes each character that makes the path of the bit.ly URL:

smith2155<200d>#2hot ma<200d>ke lovei<200d>d to <200d>her, <200d>uupss <200d>#Hot <200d>#X

When resolving this shortened link, it leads to static[.]travelclothes.org/dolR_1ert.php , which was used in the past as a watering hole C&C by the Turla crew.” states ESET.

Experts noticed that this above bit.ly URL was only accessed 17 times, which could indicate that hackers were testing the technique.

Researchers also highlighted that some of the APIs used by the malicious extension will no longer work in future Firefox releases, for this reason, upcoming versions of the backdoor will have to be implemented differently.