Hammertoss is a new piece of malware that’s great at stealing information.
Advertisement
The claim that the Russian hackers are government-backed and targeting US systems comes after FireEye previously warned that state-sponsored Chinese hackers have been conducting cyber espionage against South Asian governments and companies for at least a decade. It’s only a matter of time, FireEye researchers warned, until the group’s tactics make their way over to the cybercrime underworld.
FireEye security specialists discovered the malware, called Hammertoss, on the network of a client a couple of months ago. To start, the malware generates a different Twitter handle every day for each backdoor created. Very few firms would block outbound connections to Twitter, and successful connections to Twitter are typically not even considered as potentially malicious.
“When they see Twitter traffic, it’s less suspicious”, said Steve Ledzian, systems engineering director for FireEye in Asia.
The APT 29 controllers give instructions to Hammertoss via a tweet. This tweet will contain a URL and a hashtag.
The malware downloads images from GitHub that contain hidden messages for it. “HAMMERTOSS visits the associated Twitter account and looks for a tweet with a URL and a hashtag that indicates the location and minimum size of an image file”.
FireEye studied some of the instructions for Hammertoss installations, which were comprised of encoded Powershell commands, directions for storing stolen content on cloud services and executing other files. So if an account has not been registered on a certain day, Hammertoss will check for another account the next day.
While the individual techniques used by Hammertoss aren’t new, the report describes how combining them enables cyber criminals to effectively attack target networks. If Hammertoss can locate an Apt 29-created handle, a direct link to the targeted network is established.
Hammertoss takes other steps to stay below the radar, Ledzian said.
“It’s a lot easier to hide in the noise”, Ledzian said.
The security firm said that the group is also able to monitor administration work at the victim end, meaning that it can clean up attacks and removal efforts. FireEye said these practices make APT29 one of the most capable threats that it tracks.
Advertisement
Ledzian pointed out APT 29 is almost exclusively focused on hacking government-related organizations, and seems to be gathering up geopolitical information connected to Russia, meaning it is highly probable that the group works for or is a part of the Russian government.
