Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2015
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Can't Touch This: 'Hammertoss' Russian Cyberspies Hide In Plain Sight

APT29 cyber espionage attackers operate under the cover of legitimate services including Twitter, Github, and cloud storage services.

A recently discovered Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage -- often pilfering information during a victim organization's work day.

Researchers from FireEye today outlined the aggressive and seemingly relentless cyber spying gang out of Russia with its so-called Hammertoss malware -- a group dubbed APT29 by the security firm. The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.

"It's a very difficult malware tool to detect. They are leveraging best practices of malware development," says Jordan Berry, threat intelligence analyst for FireEye. "We've before observed some of these tactics alone with this and other groups; we've seen malware communicate with Twitter for command and control before. It's the unique combination" of legit services attempting to mask its hacking that makes APT29's operation stand out," he says.

"This is going to challenge our defense in the future," he says.

FireEye says APT29 is the same group behind Seaduke, malware that Symantec researchers recently highlighted in a blog post. But it's unclear if APT29 is the group behind MiniDuke, another Russian cyber espionage campaign targeting mostly Eastern European government agencies. The MiniDuke backdoor Trojan, also thought to be out of Russia, also uses Twitter for command and control and sending images with encrypted information, but FireEye's team says it can't say for sure that those two are related.

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

"The whole path of the network traffic gives nothing to conclude" that this is an attack, notes Laura Galante, director of threat intelligence for FireEye.

"We saw a downloaded image from Github with appended and encrypted information. [Once decrypted], it contains instructions for the malware: it can collect information about the victim's network and do reconnaissance, and it uploads that information to a cloud storage service," Berry says.

Watching The Watchers

APT29, which has been in action at least since late 2014, targets government agencies and organizations involved in foreign policy, defense contracting, and education, with a big focus on Russian and Ukrainian issues, according to FireEye, which published a report on Hammertoss today. But researchers there have not yet pinpointed its initial attack vector, although more than likely, it was via a phishing attack.

The attackers also watch the watchers: "They monitor the security team on what they knew about them" and then adjust their tactics to evade them, Berry says. "It's a very aggressive operation. They have significant resources and are regularly updating their malware.

"It's going to be difficult to detect even if you are aware of it," he says. Even identifying indicators of compromise is difficult since they use compromised, legit services, he says.

Symantec also has noted the confidence of the Hammertoss/Seaduke spy team. The developers appeared to flex their muscles a bit when they named one of the malware's functions "forkmeiamfamous," according to Symantec's Security Response team. "Its attacks have been so bold and aggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed. Its success at compromising such high-profile targets has no doubt added a few feathers to its cap," the team wrote in a blog post this month.

Now that the cat's out of the bag bout APT29's latest activity, the attackers likely will change up their tactics again. "Will they still use Hammertoss?" Galante says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Egbert O'Foo
50%
50%
Egbert O'Foo,
User Rank: Apprentice
8/20/2015 | 9:50:12 AM
Re: Brilliant
Egress filtering and monitoring might be of some help: if your systems aren't *supposed* to be going to Twitter & Github, why are they requesting URI's from them?

I'm kind of surprised how many enterprises simply allow outbound traffic to go where it wills, although operating margins often mean that not enough resources can be devoted to servicing such a paradigm, and user behavior in some offices these days often includes a mix of work and personal activity, as you're probably aware.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 12:51:46 PM
Re: Brilliant
A more stringent vetting process for twitter would result in less of an ease of acquisition in terms of accounts for genuine users. Question is, if they are using twitter as the inbetween between attacker and victim does this make twitter in some way liable?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/30/2015 | 11:21:50 AM
Re: Brilliant
FireEye has provided a malware IoC for companies to look for. What I keep thinking is, why can't Twitter monitor some of this account abuse? That's only one piece of the CnC, but the fact that they can abuse it so freely seems silly.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 10:24:29 AM
Brilliant
Pretty impressive on their end. What are some security guidelines to follow to make their malware attempt less effective?
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17667
PUBLISHED: 2019-10-17
Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.