HAMMERTOSS Malware From Russian Hackers Uses Popular Web Services to Conceal Attacks
A group of sophisticated hackers from Russia are using a malware tool that helps them hide Malicious activity within legitimate network traffic by leveraging common web services such as Twitter, GitHub and cloud storage providers, FireEye said Wednesday.
The malicious backdoor, which FireEye has dubbed “HAMMERTOSS”, was first discovered by the security firm in early 2015 and is being used by a Russian APT group to relay commands and extract data from compromised targets.
The threat actor group behind HAMMERTOSS is tracked by FireEye as APT29, a group that the company describes as “one of the most capable” threat groups they track.
FireEye researchers explained that the malware communication process used by HAMMERTOSS could be broken down into several stages to explain how the tool operates, receives instructions, and extracts information from a victim’s network.
“HAMMERTOSS combines all of the best practices of malware development,” Jordan Berry, a Threat Intelligence Analyst at FireEye, told SecurityWeek.
The first stage leverages Twitter, and utilizes specific accounts that are created by a predictable algorithm and changed daily.
“In the second stage, the malware looks for a tweet containing a URL and a hashtag,” Berry said. “The URL will direct the malware implant to download an image.”
Stage-three downloads the image as directed by the tweet, which contains appended and encrypted data at the end of the file and has instructions for the malware.
“While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file,” FireEye’s report explained.
Finally, the malware uses PowerShell to execute command on the compromised host and send that information to a cloud storage provider.
“These techniques have been used by other threat groups in the past in the singular, but the whole operation in total is what is what’s really unique about HAMMERTOSS,” Jen Weedon, Threat Intelligence Manager at FireEye, told SecurityWeek. The APT29 attackers are suspected by FireEye to be a Russian APT group, and also believed to be connected to MiniDuke and OnionDuke attack campaigns.
HAMMERTOSS isn’t being deployed by the attackers in a wide manner, Weedon said, adding that the malware is likely being used as a backup tool in the event its primary tools were discovered.
“HAMMERTOSS seems to be only deployed against critical targets, so we think [the attackers] are only using it when other tools aren’t working, or if their operation has been disrupted in some way,” she said.
“We speculate that APT29 may make modifications to HAMMERTOSS or abandon it altogether and develop a new tool if they discover incident responders or antivirus software is detecting it,” FireEye’s report concluded. "The group has demonstrated an understanding of network defenders’ countermeasures. During our investigations, APT29 continually deployed new versions of backdoors to fix bugs and add functions, as well as kept tabs on network defenders’ activities to counter attempts to clean the client’s system to maintain access to the victim environment."
FireEye told SecurityWeek that it has been in touch with both Twitter and the cloud storage provider(s) used in relation to the few attacks campaigns they have witnessed. FireEye researchers would not disclose the cloud storage provider by name, only saying that it was a top three provider of cloud storage services.
As of the time of publishing, an MD5 for HAMMERTOSS provided by FireEye was detected by just 4 of 56 anti-malware engines on VirusTotal.
The full report (PDF) from FireEye is available online, and FireEye produced a short video (below) which explained the overall threat.