Instagram Comments Could Contain Malware Controllers, Report Says
Instagram might be one of the most popular social networking platforms, but it could potentially serve as a communication tool for hackers, according to new findings. One of the ways hackers might be communicating with each other could be by posting comments on popular celebrities’ Instagram posts.
ESET Security, a Slovak cyber security company released a report Tuesday, with an example of such a comment, posted on singer Britney Spears' Instagram post. The comment has since been deleted.
Read: Meet Turla, The Russian Hacking Group Using Commercial Satellites To Spy On US, Europe
The post contained controlling instructions for Russian hacker group Turla, which has been targeting governments around the world, especially former Eastern Bloc countries. According to the report, the backdoor Trojan software uses comments to locate the control server which sends instructions and offloads stolen data to and from infected PCs. The practice makes the malware harder to detect since the server is never directly referenced either in the malware or the Instagram comments. The malware uses regular expressions combined cryptographic dashes used in Instagram to find its control server to send across data from infected PCs.
The malware was being masked as a Firefox browser extension which acted as a security feature. It would provide hackers with complete control of an infected computer.
“The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears' official Instagram account,” the report stated.
According to bit.ly data obtained by ESET, the URL in the Instagram comment had received 17 visits in February this year. According to the researchers, the low numbers of visits might be an indication that the malware could be in a testing stage or it might just be aimed only at a few high-profile individuals.
The report further added that the malware spread through the website of an unnamed security company located in Switzerland. The Firefox extension might have served as an update to cyber espionage software called Pacifier, which attacked Romanian institutions and other foreign targets. According to cyber security company BitDefender, samples of the same malicious software were detected in Iran, India, Philippines, Russia, Lithuania, Thailand, Vietnam and Hungary. Constant updates let the malware evolve over time, making it even stealthier and enabling additional functionality for bigger payloads of data.
Read: Fireball Malware: Cyberattack Infects 250 Million Devices, 20 Percent Of Corporate Computer Networks
According to a Symantec report issued in August 2014, a Turla malware called Wipbot was responsible for infiltrating many Windows-based systems of embassies and governments of many European countries. In March this year, an Ars Technica report stated that Turla was using the zero-day vulnerability, which was neutralized by Microsoft later.
© Copyright IBTimes 2024. All rights reserved.