Britney Spears is back in the headlines. This time not for her songs but for hackers instead. Russian hacking group Turla has picked up a post from Britney Spears’ Instagram to command and control a malware. The Turla group in infamous for launching cyber attacks against governments.

Turla Firefox malware extension
The fake Firefox extension

What?

According to an Eset blog post is using a backdoor found in a fake Firefox extension for this purpose. “The extension has been distributed through a compromised Swiss security company website. Unsuspecting visitors to this website were asked to install this malicious extension. The extension is a simple backdoor, but with an interesting way of fetching its C&C domain.”

How?

The comments, left on the Instagram account, may appear harmless to most people, but are crafted in such a way

Britney malware Instagram postthat allows the malware to learn the location of the roving command server without rousing suspicion. Once the comment is left, the extension knows where to look for instructions on the internet to deliver ransomware or steal passwords, for example. In other words, the malware looks for a particular unsuspecting comment on an Instagram post, which when converted to a cryptographic hash, can be converted into the web address where the command server is located.

“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting”, researchers said. They further added that it makes it difficult to spot, firstly because the traffic looks like anybody else’s, secondly because of the flexibility of changing the address to the command server, and erasing any trace of it.

Britney Spears’ Intagram post