Backdoored Firefox extension checks Instagram for C&C info

Turla, an APT cyberespionage group that has been targeting corporations, intelligence and other government agencies for years, is using a malicious Firefox extension to backdoor targets’ systems.

Instagram C&C

The extension

Named “HTML5 Encoding 0.3.7”, the extension has a backdoor component that can gather information about the targeted system, send it encrypted to the C&C, upload and download files from the C&C, execute files, and read directory content.

It was delivered through the compromised website of an unnamed Swiss security company, and uses a bit.ly URL to reach its C&C. The URL in question is not included in the extension’s code, though: instead, it is computed from a comment on a photo posted to the Britney Spears official Instagram account.

“The extension will look at each photo’s comment and will compute a custom hash value,” ESET researchers noted.

If the hash matches 183, it will run this regular expression on the comment in order to obtain the path of the bit.ly URL:

Instagram C&C

The bit.ly URL points to a page that was used in the past as a watering hole C&C by the Turla crew. And, since it’s bit.ly URL, the researchers were able to see just how many times it was clicked: 17.

The number is quite low, and this could indicate several things (not mutually exclusive): it was a test run, and the attack campaign leading to the extension was limited / extremely targeted.

ESET researchers also believe that this extension is an update of a previous one, described in a 2016 report by Bitdefender, and that the Pacifier APT described in the report is the Turla APT (aka Snake, Uroburos, or Agent.BTZ).

Still, this extension will not be capable of working as it does for much longer.

“There are several APIs that are used by the extension that will disappear in future versions of Firefox,” the researchers noted.

“For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57. From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs.”

Turla APT

Turla APT is a Russian-speaking cyberespionage actor, but whether it is working on behalf of a nation-state or is a group that steals information and sells it to the highest bidder it is impossible to say for sure.

It has been active for the last ten years, and possibly more. Its targets are often government entities, embassies, military, research and education organizations and pharmaceutical companies.

Turla APT uses zero-day exploits, social engineering and watering hole techniques to compromise targets’ computers: systems running Windows, Linux, and even macOS.

Before this, the group has used other unconventional methods for hiding the location of its command and control servers.