A malicious backdoor, dubbed Hammertoss, has been unmasked as an ingenious tool employed by a notorious group of Russian cyber-criminals operating with advanced persistent threat (APT) tactics.
The group, known as APT 29, is identified as a probably-state-sponsored actor active in the Russian espionage scene. According to FireEye, Hammertoss is designed to make it difficult for security professionals to detect and characterize the extent of the group’s activity. It also performs data exfiltration.
The developers of Hammertoss have crafted it to help the group avoid detection by adding layers of obfuscation and multiple malware tactics, and mimicking the behavior of legitimate users.
It uses several commonly visited websites—including Twitter, GitHub and cloud storage services—to relay commands and extract data from victims. It can also use compromised web servers for command and control (CnC).
"The novel approach APT29 takes to carry out its attacks and maintain their persistence in networks represents a level of difficulty that security professionals could see trickle down into their own network security operations," said Laura Galante, director, threat intelligence at FireEye.
To wit: It’s first of all careful to change up its modus operandi on a regular basis, visiting different Twitter handles daily and automatically. It beacons each day to a different, algorithmically-matched Twitter handle for links and hashtags with commands.
It also uses timed starts (communicating only after a specific date or only during the victim’s work week), and it generally obtains commands via images containing hidden and encrypted data. It does this by following social media links to sites like GitHub that host images with commands hidden within them—a practice known as steganography.
And finally, its end purpose is to extract information from a compromised network, uploading files to cloud storage services.
“APT29 is among the most capable groups that we track,” FireEye said in its report. “While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts.”
Operating in its current form since at least 2014, APT 29 has demonstrated those very strong capabilities through not just tools like Hammertoss, but also by aggressively monitoring network defenders and/or forensic investigators, and attempting to subvert them.
Ken Westin, senior security analyst for Tripwire, has also been tracking the development of these kinds of capability. He told Infosecurity that he considers the track quite clever.
“This particular method of attack is pretty clever, as it takes advantage of most enterprise organizations trust and whitelisting of well-known social media platforms,” he said. “By downloading binary images and embedding commands in the images they easily circumvent most detection mechanisms. The additional measure of encrypting the message within the image serves a double purpose to both hide the messages in the image in case it is intercepted, as well as to assist in bypassing any steganography detection tools an organization may have in place. Encrypted data in the image makes steganography detection harder because encrypted data generally has a high degree of randomness making it much less suspicious when embedded with image data.”
He also noted that this type of attack vector makes traditional threat intelligence moot.
“Where threat intelligence feeds will provide information about malicious IPs and hosts for command and control servers that malware has been found to use, this attack uses trusted services and domains that are for the most part whitelisted,” he explained. “It then also hides command-and-control activity by encrypting commands in images to further bypass network detection controls. This shows the importance of integrating network based threat intelligence with endpoint intelligence with the assumption that either can fail.”