Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russian Hacker Tool Uses Legitimate Web Services to Hide Attacks: FireEye

HAMMERTOSS Malware From Russian Hackers Uses Popular Web Services to Conceal Attacks

HAMMERTOSS Malware From Russian Hackers Uses Popular Web Services to Conceal Attacks

A group of sophisticated hackers from Russia are using a malware tool that helps them hide Malicious activity within legitimate network traffic by leveraging common web services such as Twitter, GitHub and cloud storage providers, FireEye said Wednesday.

The malicious backdoor, which FireEye has dubbed “HAMMERTOSS”, was first discovered by the security firm in early 2015 and is being used by a Russian APT group to relay commands and extract data from compromised targets.

The threat actor group behind HAMMERTOSS is tracked by FireEye as APT29, a group that the company describes as “one of the most capable” threat groups they track.

FireEye researchers explained that the malware communication process used by HAMMERTOSS could be broken down into several stages to explain how the tool operates, receives instructions, and extracts information from a victim’s network.

“HAMMERTOSS combines all of the best practices of malware development,” Jordan Berry, a Threat Intelligence Analyst at FireEye, told SecurityWeek.

HAMMERTOSS Malware Used by Russian Hackers

The first stage leverages Twitter, and utilizes specific accounts that are created by a predictable algorithm and changed daily.

“In the second stage, the malware looks for a tweet containing a URL and a hashtag,” Berry said. “The URL will direct the malware implant to download an image.”

Advertisement. Scroll to continue reading.

Stage-three downloads the image as directed by the tweet, which contains appended and encrypted data at the end of the file and has instructions for the malware.

“While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file,” FireEye’s report explained.

Finally, the malware uses PowerShell to execute command on the compromised host and send that information to a cloud storage provider.  

“These techniques have been used by other threat groups in the past in the singular, but the whole operation in total is what is what’s really unique about HAMMERTOSS,” Jen Weedon, Threat Intelligence Manager at FireEye, told SecurityWeek. The APT29 attackers are suspected by FireEye to be a Russian APT group, and also believed to be connected to MiniDuke and OnionDuke attack campaigns.  

HAMMERTOSS isn’t being deployed by the attackers in a wide manner, Weedon said, adding that the malware is likely being used as a backup tool in the event its primary tools were discovered.

“HAMMERTOSS seems to be only deployed against critical targets, so we think [the attackers] are only using it when other tools aren’t working, or if their operation has been disrupted in some way,” she said.

“We speculate that APT29 may make modifications to HAMMERTOSS or abandon it altogether and develop a new tool if they discover incident responders or antivirus software is detecting it,” FireEye’s report concluded. “The group has demonstrated an understanding of network defenders’ countermeasures. During our investigations, APT29 continually deployed new versions of backdoors to fix bugs and add functions, as well as kept tabs on network defenders’ activities to counter attempts to clean the client’s system to maintain access to the victim environment.”

FireEye told SecurityWeek that it has been in touch with both Twitter and the cloud storage provider(s) used in relation to the few attacks campaigns they have witnessed. FireEye researchers would not disclose the cloud storage provider by name, only saying that it was a top three provider of cloud storage services.

As of the time of publishing, an MD5 for HAMMERTOSS provided by FireEye was detected by just 4 of 56 anti-malware engines on VirusTotal.

The full report (PDF) from FireEye is available online, and FireEye produced a short video (below) which explained the overall threat.


Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.