Connect with us

Hi, what are you looking for?


Malware & Threats

Russian Hacker Tool Uses Legitimate Web Services to Hide Attacks: FireEye

HAMMERTOSS Malware From Russian Hackers Uses Popular Web Services to Conceal Attacks

HAMMERTOSS Malware From Russian Hackers Uses Popular Web Services to Conceal Attacks

A group of sophisticated hackers from Russia are using a malware tool that helps them hide Malicious activity within legitimate network traffic by leveraging common web services such as Twitter, GitHub and cloud storage providers, FireEye said Wednesday.

The malicious backdoor, which FireEye has dubbed “HAMMERTOSS”, was first discovered by the security firm in early 2015 and is being used by a Russian APT group to relay commands and extract data from compromised targets.

The threat actor group behind HAMMERTOSS is tracked by FireEye as APT29, a group that the company describes as “one of the most capable” threat groups they track.

FireEye researchers explained that the malware communication process used by HAMMERTOSS could be broken down into several stages to explain how the tool operates, receives instructions, and extracts information from a victim’s network.

“HAMMERTOSS combines all of the best practices of malware development,” Jordan Berry, a Threat Intelligence Analyst at FireEye, told SecurityWeek.

HAMMERTOSS Malware Used by Russian Hackers

The first stage leverages Twitter, and utilizes specific accounts that are created by a predictable algorithm and changed daily.

Advertisement. Scroll to continue reading.

“In the second stage, the malware looks for a tweet containing a URL and a hashtag,” Berry said. “The URL will direct the malware implant to download an image.”

Stage-three downloads the image as directed by the tweet, which contains appended and encrypted data at the end of the file and has instructions for the malware.

“While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file,” FireEye’s report explained.

Finally, the malware uses PowerShell to execute command on the compromised host and send that information to a cloud storage provider.  

“These techniques have been used by other threat groups in the past in the singular, but the whole operation in total is what is what’s really unique about HAMMERTOSS,” Jen Weedon, Threat Intelligence Manager at FireEye, told SecurityWeek. The APT29 attackers are suspected by FireEye to be a Russian APT group, and also believed to be connected to MiniDuke and OnionDuke attack campaigns.  

HAMMERTOSS isn’t being deployed by the attackers in a wide manner, Weedon said, adding that the malware is likely being used as a backup tool in the event its primary tools were discovered.

“HAMMERTOSS seems to be only deployed against critical targets, so we think [the attackers] are only using it when other tools aren’t working, or if their operation has been disrupted in some way,” she said.

“We speculate that APT29 may make modifications to HAMMERTOSS or abandon it altogether and develop a new tool if they discover incident responders or antivirus software is detecting it,” FireEye’s report concluded. “The group has demonstrated an understanding of network defenders’ countermeasures. During our investigations, APT29 continually deployed new versions of backdoors to fix bugs and add functions, as well as kept tabs on network defenders’ activities to counter attempts to clean the client’s system to maintain access to the victim environment.”

FireEye told SecurityWeek that it has been in touch with both Twitter and the cloud storage provider(s) used in relation to the few attacks campaigns they have witnessed. FireEye researchers would not disclose the cloud storage provider by name, only saying that it was a top three provider of cloud storage services.

As of the time of publishing, an MD5 for HAMMERTOSS provided by FireEye was detected by just 4 of 56 anti-malware engines on VirusTotal.

The full report (PDF) from FireEye is available online, and FireEye produced a short video (below) which explained the overall threat.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...