Hackers use Instagram comments to hide malicious commands
Watch out! There are Russian hackers in Instagram. Image: theUSBport.

On Tuesday, ESET Security discovered a new method that Russian hackers use to connect malware to their command and control centers using encrypted links on Instagram comments.

The hacking group, known as Turla and believed to be working for the Russian state, has been active for roughly a decade. During that time, their signature malware has manifested itself in different ways, always targeting foreign government officials and high-profile figures.

New implications arise from the discovery of social media platforms as channels for malware activation and propagation. Cyber criminals are coming up with ways to make themselves harder to trace and their attacks harder to mitigate.

How does the Turla scheme work on Instagram?

The Slovakian cyber security firm described the new process using a highly unsettling example: a comment posted on Britney Spears’ official Instagram account.

To fully understand how Turla hackers manage to compromise systems and steal data from targets, we need to start from the beginning. The first step of the method involves implanting malware into users’ terminals by hiding it within a browser extension.

Firefox, in this case, is the host for the malicious threat. Unknowing users install the add-on, which in this case was found to be HTML Encoding 0.3.7 but could be any other, and the software triggers a script that redirects them to Instagram.

The extension needs to hook up the malware to the command and control (C&C) server for hackers to take over it. To do this, it scans Instagram comments from specific posts in search for the one that matches its true hash value, a numeric combination that serves to decrypt information.

Thus, a seemingly regular spam post by user asmith2155 read “#2hot maked love to her, uupss #Hot #X,” but it was actually carefully crafted to be the one to match with the lucky number.

After decrypting it, the malware figured out the extension of a bit.ly URL hidden within “2kdhuHX.” The address is, of course, for the malicious site to which the extension redirects the user, effectively compromising its terminal and handing over control to Turla.

The whole process takes seconds, and users are none the wiser upon downloading potentially malicious extensions.

ESET Security’s report shows only 17 people fell for the Turla scheme. These numbers suggest that it was a testing procedure, but it could also mean that widespread implementation could happen anytime soon.

Disguising themselves in plain sight, hackers make themselves even harder to take down. Social media ecosystems are vast, and Instagram, in particular, is about to hit 1 billion users. That is 1 billion potential platforms from where to trigger and spread malware.

Source: ESET Security