FireEye researchers said secret messages hidden within the image files through steganography, or covert coding, may either instruct the malware to conduct reconnaissance on the infected computer, execute any command via PowerShell or upload local data to a cloud storage service on the Web so that details about the commandeered machine are then sent back to the hackers.
Advertisement
The malware uses an algorithm that creates a new Twitter handle every day. The security firm just issued a new threat intelligence report called “Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group” that analyzes its operations. FireEye recently published a report on the malware and notes that APT 29 uses a complex system involving tweets to communicate with Hammertoss to lower the chance of detection.
“When they see Twitter traffic, it’s less suspicious”, said Steve Ledzian, systems engineering director for FireEye in Asia. The hashtag provides the file size of the image and a few characters to be added to the decryption key already within Hammertoss to access the contents.
Hammertoss works by retrieving commands via Twitter for command and control (CnC) functions. For now it’s probably a good idea not to click on any Twitter accounts you’re not sure of that contain a URL and image location.
However, the Tweet contains information about the targeted network systems, which can be decoded by the hackers and then used to make off with sensitive data.
According to their research paper, the group uses a combination of techniques which mimic real user behavior to hide the malware’s actions as social media interactions.
This obviously makes it hard for defenders since it means they have to constantly monitor a number of Twitter accounts to keep up with Hammertoss.
With most companies unlikely to be blocking outbound traffic to Twitter’s servers, the hackers can remain under the radar as anyone who even noticed the link to Twitter would only find what looked like a benign image. The hackers can also quickly delete the tweet that Hammertoss reads, which also complicates any investigation.
APT 29 is strongly suspected to be based in Russia, as it is generally active during the normal working hours in Moscow, and on Russian holidays the group is inactive.
Advertisement
The advanced persistent threat (APT) group APT29, which has operated in its current form since at least 2014 and is thought to be backed by the Russian government, is behind Hammertoss.
