Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2015
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Can't Touch This: 'Hammertoss' Russian Cyberspies Hide In Plain Sight

APT29 cyber espionage attackers operate under the cover of legitimate services including Twitter, Github, and cloud storage services.

A recently discovered Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage -- often pilfering information during a victim organization's work day.

Researchers from FireEye today outlined the aggressive and seemingly relentless cyber spying gang out of Russia with its so-called Hammertoss malware -- a group dubbed APT29 by the security firm. The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.

"It's a very difficult malware tool to detect. They are leveraging best practices of malware development," says Jordan Berry, threat intelligence analyst for FireEye. "We've before observed some of these tactics alone with this and other groups; we've seen malware communicate with Twitter for command and control before. It's the unique combination" of legit services attempting to mask its hacking that makes APT29's operation stand out," he says.

"This is going to challenge our defense in the future," he says.

FireEye says APT29 is the same group behind Seaduke, malware that Symantec researchers recently highlighted in a blog post. But it's unclear if APT29 is the group behind MiniDuke, another Russian cyber espionage campaign targeting mostly Eastern European government agencies. The MiniDuke backdoor Trojan, also thought to be out of Russia, also uses Twitter for command and control and sending images with encrypted information, but FireEye's team says it can't say for sure that those two are related.

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

"The whole path of the network traffic gives nothing to conclude" that this is an attack, notes Laura Galante, director of threat intelligence for FireEye.

"We saw a downloaded image from Github with appended and encrypted information. [Once decrypted], it contains instructions for the malware: it can collect information about the victim's network and do reconnaissance, and it uploads that information to a cloud storage service," Berry says.

Watching The Watchers

APT29, which has been in action at least since late 2014, targets government agencies and organizations involved in foreign policy, defense contracting, and education, with a big focus on Russian and Ukrainian issues, according to FireEye, which published a report on Hammertoss today. But researchers there have not yet pinpointed its initial attack vector, although more than likely, it was via a phishing attack.

The attackers also watch the watchers: "They monitor the security team on what they knew about them" and then adjust their tactics to evade them, Berry says. "It's a very aggressive operation. They have significant resources and are regularly updating their malware.

"It's going to be difficult to detect even if you are aware of it," he says. Even identifying indicators of compromise is difficult since they use compromised, legit services, he says.

Symantec also has noted the confidence of the Hammertoss/Seaduke spy team. The developers appeared to flex their muscles a bit when they named one of the malware's functions "forkmeiamfamous," according to Symantec's Security Response team. "Its attacks have been so bold and aggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed. Its success at compromising such high-profile targets has no doubt added a few feathers to its cap," the team wrote in a blog post this month.

Now that the cat's out of the bag bout APT29's latest activity, the attackers likely will change up their tactics again. "Will they still use Hammertoss?" Galante says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 10:24:29 AM
Brilliant
Pretty impressive on their end. What are some security guidelines to follow to make their malware attempt less effective?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/30/2015 | 11:21:50 AM
Re: Brilliant
FireEye has provided a malware IoC for companies to look for. What I keep thinking is, why can't Twitter monitor some of this account abuse? That's only one piece of the CnC, but the fact that they can abuse it so freely seems silly.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 12:51:46 PM
Re: Brilliant
A more stringent vetting process for twitter would result in less of an ease of acquisition in terms of accounts for genuine users. Question is, if they are using twitter as the inbetween between attacker and victim does this make twitter in some way liable?
Egbert O'Foo
50%
50%
Egbert O'Foo,
User Rank: Apprentice
8/20/2015 | 9:50:12 AM
Re: Brilliant
Egress filtering and monitoring might be of some help: if your systems aren't *supposed* to be going to Twitter & Github, why are they requesting URI's from them?

I'm kind of surprised how many enterprises simply allow outbound traffic to go where it wills, although operating margins often mean that not enough resources can be devoted to servicing such a paradigm, and user behavior in some offices these days often includes a mix of work and personal activity, as you're probably aware.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30174
PUBLISHED: 2021-05-11
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks.
CVE-2021-32544
PUBLISHED: 2021-05-11
Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS (Cross-site scripting) attacks.
CVE-2021-32563
PUBLISHED: 2021-05-11
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.