How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server

By on

A nasty piece of malware is currently being tested by a Russian hacking group named Turla, and its trial round has been conducted in an unexpected area of the internet — the comments section of Britney Spears’ Instagram. As a matter of fact, they’re using her Instagram as a way to contact the malware’s command and control (C&C) server.

So how does Turla make this happen, exactly? Leveraging a recently discovered backdoor found in a fake Firefox extension, the cybercriminals instruct the malware to scroll through the comments on Spears’ photos and search for one that has a specific hash value. When the malware finds the comment it was told to look for, it converts it into this Bitly link: The shortened link resolves to a site that’s known to be a Turla watering hole.

This way, in the chance their attack becomes compromised, the cybercriminals can ensure their C&C can be changed without having to change the malware. If the attackers want to create a new meetup location, all they have to do is delete the first infected comment, and infiltrate a new one with same hash value.

This infected comment on Spears’ post doesn’t look exactly normal, but most people probably would think it’s just spam — unless they clicked it. If someone does in fact click on the link, they’ll be directed to the hacker group’s forum, which is where they actually infect innocent users. For this Trojan in particular, visitors who click will get taken to a site and asked to install the extension with the benign name “HTML5 Encoder.”

The good news is — this is, after all, just a test. Plus, Firefox is said to be already working on a fix so that the extension being used won’t work anymore.

For more information on this attack and others like it, follow @McAfee and @McAfee_Business.

Leave a Comment

Similar articles

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720). ...
Read Blog
For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!” Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they ...
Read Blog