Britney Spears
Singer Britney Spears arrives at the 2015 MTV Video Music Awards in Los Angeles, California, August 30, 2015. Reuters/Danny Moloshok

Britney Spears’ social media account was used in a cyber attack by a Russian group called Turla. The cyber-attack team reportedly crafted a Trojan that utilised comments on Spears' Instagram account to store the location of its command and control (C&C) server.

According to Bleeping Computer, the malware was concealed as a Firefox extension. ESET, which discovered the exploit, said Turla is targeting governments, government officials and diplomats for years.

The comments on Spears' Instagram included a hashtag that resolves to a URL pointing to the C&C server. This Firefox extension is one of the group’s hacking tools and is distributed from the compromised site of a Swiss security company, Life Hacker notes.

Moreover, the extension utilises a bit.ly URL to reach its C&C, but the URL path could not be located in the extension code. This path will be obtained by using comments on a particular post on Instagram.

The extension would look at the comments, then compute a custom hash value. Regular expression on the comment will be run if the hash matches 183, so the path of the bit.ly URL will be obtained.

It’s not the first time researchers found a Firefox extension that delivered a backdoor. Last year, a new cyber-espionage unit was unveiled by Bitdefender researchers. It was named Pacifier APT.

HTML5 Encoder

According to ESET, the second one named HTML5 Encoder appeared to be only a test, mainly because the Firefox extension used a C&C server URL that resolved through a Bit.ly short URL. It allowed researchers to determine the number of times the URL was accessed. The ESET team said the extension was not widely used. ESET provided a further explanation about how the malware resolved the C&C domain.

Turla recently targets embassy websites, with some used to redirect visitors into malicious server. “It will also try to install an evercookie, or so-called super cookie, that will track the user throughout his browsing, across all sites on the internet,” ESET researchers said.

The group is also mounting a spearphishing campaign with a malicious Microsoft Word document that targets institutions worldwide per Info Security Magazine. The document drops an update of a Firefox extension.

This component has the ability to collect information on the system it is running on. It can also execute arbitrary code and upload or download files from the system, read directory content and send a file listing to C&C.

Read More:

Coles says food and grocery prices must come down further

Australia breaks world economic record for longest time without a recession

DAHBOO77/YouTube

RELATED STORIES