A Russian cyber-attack group called Turla has crafted a trojan that is camouflaged as a Firefox plug-in. The malware then posts comments against photos on Britney Spears’ Instagram account in order to share the location of Command and Control servers.
Reported by Bleeping Computer, who learned of the exploit which was discovered by ESET, the Firefox extension was distributed from the compromised site of a Swiss security company. The plug-in has the innocuous name of HTML5 Encoding.
The comments contain a hashtag the resolves to a URL pointing to the C&C server. ESET thinks the Trojan was part of a test as it used a URL shortener to make it easy to count the number of clicks. This suggests it may be part of a broader toolkit or attack.
Aside form the cunning awesomeness of using Britney Spears in this way, there are a few lessons for us to learn.
Locking down browsers so the addition of third-party plug-ins is limited is a good start. And it is important to monitor outbound network traffic and look for anomalies.
And your security team finally has an excuse to carefully monitor Spear’s Instagram account for hidden backdoors.