S P E C I A L R E P O R T

F I R E E Y E T H R E A T I N T E L L I G E N C E
##### **HAMMERTOSS: **

Stealthy Tactics Define
a Russian Cyber Threat Group

JULY 2015
## SECURITY REIMAGINED


-----

**HAMMERTOSS** 3

**APT29** 5

**Introducing HAMMERTOSS** 6
Five Stages of HAMMERTOSS 6

**Stage 1: The Communication Process Begins with Twitter** 7
Figure 1: HAMMERTOSS calls out to a Twitter handle 7

**Stage 2: Tweeting a URL, Minimum File Size of an Image, and Part of an Encryption Key** 8
Figure 2: Learning the URL, image size, and encryption key 8
Figure 3: Twitter page for d3109c83e07dd5d7fe032dc80c581d08 9

**Stage 3: Visiting GitHub to Download an Image** 10
Figure 4: The active Twitter account in our sample contained a GitHub URL
and a related GitHub page with image containing encrypted data 10

**Stage 4: APT29 Employs Basic Steganography** 11
Figure 5: Encrypted data appended beyond the `FF D9` JPEG End of File marker 11

**Stage 5: Executing Commands and Uploading Victim Data** 12
Figure 6: Executing Commands and Removing Data 12

**Conclusion** 13
Difficulty Identifying Accounts, Discerning Legitimate and Malicious Traffic,
and Predicting the Payload

APT29: An Adaptive and Disciplined Threat Group 13


2


-----

~~**HAMME**~~ **RT** ~~**OSS**~~


he Russian cyber threat groups that we
monitor frequently design innovative
#### T ways to cover their tracks. In early 2015, 

we came across stealthy malware—which we
call HAMMERTOSS—from an advanced

persistent threat group that we suspect the
Russian government sponsors. We designate
this group APT29.

Using a variety of techniques—from creating an
algorithm that generates daily Twitter handles
to embedding pictures with commands—the
developers behind HAMMERTOSS have devised
a particularly effective tool. APT29 tries to
undermine the detection of the malware by
adding layers of obfuscation and mimicking


the behavior of legitimate users. HAMMERTOSS
uses Twitter, GitHub, and cloud storage services
to relay commands and extract data from
compromised networks.

Using a variety of techniques—from
creating algorithms that generate daily
Twitter handles to embedding pictures
with commands—the developers
behind HAMMERTOSS have devised
a particularly effective tool.

3


-----

~~**HAMMERTOSS**~~ ~~**wo**~~ **r** ~~**ks**~~ **by** ~~**:**~~







While none of these tactics are new, the combination of these
techniques piqued our interest.


4


-----

# **APT29**



















|KALININGRAD TIME|MOSCOW TIME|SAMARA TIME|YEKATERINBURG TIME|OMSK TIME|KRASNOYARSK TIME|IRKUTSK TIME|YAKUTSK TIME|VLADIVOSTOK TIME|SREDNEKOLYMSK TIME|KAMCHATKA TIME|
|---|---|---|---|---|---|---|---|---|---|---|
||||||||||||
||||||||||||
|(UTC + 02/MSK-1)|(UTC + 03/MSK)|(UTC + 04/MSK+1)|(UTC + 05/MSK+2)|(UTC + 06/MSK+3)|(UTC + 07/MSK+4)|(UTC + 08/MSK+5)|(UTC + 09/MSK+6)|(UTC + 10/MSK+7)|(UTC + 11/MSK+8)|(UTC + 12/MSK+9)|


APT29 has been operating in its current form
since at least late 2014. We suspect the Russian
government sponsors the group because of
the organizations it targets and the data it
steals. Additionally, APT29 appeared to cease
operations on Russian holidays, and their work
hours seem to align with the UTC +3 time
zone, which contains cities such as Moscow
and St. Petersburg.

While other APT groups try to cover their
tracks to thwart investigators, very few groups
show the same discipline and consistency.


Similarly, few groups display the ability to adapt
to network defenders’ attempts to mitigate its
activity or remove it from victim networks. For
example, APT29 almost always uses anti-forensic
techniques, and they monitor victim remediation
efforts to subvert them. Likewise, the group
appears to almost solely uses compromised
servers for CnC to enhance the security of its
operations and maintains a rapid development
cycle for its malware by quickly modifying tools to
undermine detection. These aspects make APT29
one of the most capable APT groups that we track.

5


-----

**INTRODUCING HAMMERTOSS**


e first identified

HAMMERTOSS in early
#### W 2015. APT29 likely used

HAMMERTOSS as a backup for their two
primary backdoors to execute commands
and maintain access if the group’s principal
tools were discovered. We have identified

two HAMMERTOSS variants that give
APT29 alternative ways to communicate
with the malware. The developer appears
to name these variants *uploader* and
*tDiscoverer* . [1] Both variants are written

in the C# programming language. Each



variant uses different methods to acquire
CnC instructions, either by directly
accessing a hard-coded website or
accessing Twitter as an intermediary.

 - *Uploader* is preconfigured to use a

hard-coded server for its CnC. It goes
to a specific URL to obtain an image
with a specific file size.

 - *tDiscoverer* uses an additional layer of

obfuscation by first going to Twitter to
obtain a CnC URL, before visiting the
URL to acquire its target image.


We will focus on *tDiscoverer* in this report.

**Five Stages of HAMMERTOSS**
We have broken down the malware

communication process into five stages
to explain how the tool operates,
receives instructions, and extracts

information from victim networks. The

stages include information on what
APT29 does outside of the compromised
network to communicate with

HAMMERTOSS and a brief assessment

of the tool’s ability to mask its activity.







|3|Col2|Col3|
|---|---|---|
||||
||||






1 The “ *tDiscoverer* ” variants were originally named “tDiscoverer.exe,” and the “ *Uploader* ” variants had a debug path containing “uploader.pdb.”


6


-----

**STAGE 1:**
The Communication Process Begins with Twitter


1. HAMMERTOSS contains
an algorithm that generates
Twitter handles telling the
malware to visit a specific
Twitter handle on a specific
day.

A Twitter handle is a user
ID associated with Twitter’s
website. For instance,
FireEye’s Twitter handle,
@FireEye, has a URL:
https://www.twitter.com/
fireeye. The HAMMERTOSS
algorithm uses a basename,
like “Bob,” and appends and
prepends three CRC32
values based on the current
date. An example, may be
1abBob52b, which would
have the URL: hxxps://www.
twitter.com/1abBob52b.

2. HAMMERTOSS visits

the Twitter URL related
to its daily Twitter handle.
~~For~~ ~~instance,~~ ~~on~~ ~~Ju~~ ly 2 ~~9,~~
it may look for a handle
1abBob52b (hxxps://twitter.
com/1abBob52b).







~~**Figure**~~ ~~**1:**~~ ~~HAMMERTOSS~~ ~~calls~~ ~~out~~ ~~to~~ ~~a~~ ~~Twitter~~ ~~handle~~

|3a. APT29’s ope the handle. HAMMERTOSS Twitter page and tweet that provid on the next phas|rator registers goes to the looks for a es instructions e of the process.|
|---|---|
|||
|3b. APT29’s operator does not register the handle. HAMMERTOSS waits until the next day to begin the process again.||

### **H**


APT29 typically configures
HAMMERTOSS to communicate

within certain restrictions, such as
only checking the Twitter handle on
weekdays or after a specified start date.
This allows the malware to blend in to

“normal” traffic during the victim’s work
week or to remain dormant for a period
of time before activating.


AMMERTOSS first looks for

instructions on Twitter.


The malware contains an

algorithm that generates a daily Twitter
handle, which is an account user ID.
To create the handles, the algorithm
employs a basename, such as “Bob,” and
appends and prepends three CRC32
values based on the date. For example,
“1abBob52b” would have the URL:

hxxps://twitter.com/1abBob52b. Each
HAMMERTOSS sample will create a
different Twitter handle each day.


APT29 knows the algorithm used to
generate the handles and chooses
to register a Twitter handle and post
obfuscated instructions to the handle’s

URL before the malware attempts to
query it. If a particular day’s handle is
not registered and the URL for that
day is not found, HAMMERTOSS will
wait until the next day to attempt to
communicate with another handle.


7


-----

-----

In Figure 3 is a sample of the HAMMERTOSS *tDiscoverer* variant and a corresponding
snapshot of a Twitter account page from one of its generated handles. At the time of
publication, a publicly available HAMMERTOSS sample had only five generic detections
in VirusTotal. The Twitter account was active and contained a link to a website.


|MD5:|d3109c83e07dd5d7fe032dc80c581d08 (VirusTotal)|
|---|---|
|SHA1:|42e6da9a08802b5ce5d1f754d4567665637b47bc|
|Timing Behavior:|Communicate on weekdays only after April 3, 2015|
|Active Twitter Handle:|twitter[.]com/3c6Diallo7f0 (Figure 3 below)|
|Tweeted URL, Hashtag:|hxxp://www[.]doctorhandbook[.]com, #101docto|
|Detection Ratio:|5/56|
|Metadata:||


~~**Figure**~~ ~~**3:**~~ ~~Twitter~~ ~~page~~ ~~for~~ ~~d3109c83e07dd5d7fe032dc80c581d08~~

###### **HIDING**

AMONG UNREGISTERED
TWITTER ACCOUNTS

AMMERTOSS uses an

algorithm to generate
#### H hundreds of Twitter

handles annually for potential
CnC. Many of these are
unregistered, as APT29 chooses
to register a particular day’s
handle as needed and ahead of

an anticipated HAMMERTOSS
beacon. This small number of

registered accounts allows
the group to maintain a small
footprint.

Other tools use Twitter to relay
instructions, including: [2]

 - MiniDuke, a Windows-based

backdoor that is a suspected
Russian tool

 - the Sninfs botnet

 - Flashback, a Mac-based

backdoor

MiniDuke behaves similarly
to HAMMERTOSS by not only
using Twitter for CnC, but also
by downloading image files
containing encrypted, appended

content.


2 “Miniduke still duking it out.” ESET Security. 20 May 2014. http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/ Balazs, Biro, Christian Istrate, and Mairus Tivaradar. A Closer Look at
MiniDuke. BitDefender. 2013. http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf. James, Peter. Flashback Mac Malware Uses Twitter as Command and
Control Center. Intego’s The Mac Security Blog. 5 March 2012. http://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center. Coogan, Peter.
“Twittering Botnets.” Symantec Security Blog. 14 Aug 2009. http://www.symantec.com/connect/blogs/twittering-botnets. Kessler, Michelle. “Hackers harness Twitter to do their dirty work.” USA Today.
17 August 2008. http://content.usatoday.com/communities/technologylive/post/2009/08/68497133/1#.VbJVi4q9_Vs.

9


-----

**STAGE 3:**
Visiting GitHub to Download an Image

|Col1|APT29’s operator registers a GitHub page and uploads an image.|
|---|---|
|||



obtain the image.


**Figure 4:** The URL specified in the tweet (in this case, a GitHub page)
contains an image with appended and encrypted data


AMMERTOSS then uses the `InternetExplorer.`
`Application COM` `Object` to visit the URL specified in
#### H a tweet. We have observed URLs lead to specific GitHub

accounts or compromised websites.

We will use Github for the next part in our example. Once
HAMMERTOSS obtains the GitHub URL from its daily Twitter
account, it visits the URL and downloads the contents of the
page, including any image files.

10


-----

**STAGE 4:**
APT29 Employs Basic Steganography



1. HAMMERTOSS
downloads the image
from the specified URL,
retrieves the image
from Internet Explorer’s
browser cache, and
begins the process of
decryption.

AMMERTOSS downloads the

contents of the website to
#### H Internet Explorer’s browser cache

and searches the cache for any images
at least as large as the offset specified in
the tweet from Stage 2.

While the image appears normal,
it actually contains steganographic
data. Steganography is the practice of
concealing a message, image, or file
within another message, image, or file. In
this case, the image contains appended
and encrypted data that HAMMERTOSS
will decrypt and execute. The data may
include commands or login credentials to
upload a victim’s data to a cloud storage
service. HAMMERTOSS locates the

encrypted data at the offset specified in
the tweet in Stage 2. It decrypts the data
using a key comprised of hard-coded
data from the malware binary appended
with the characters from the tweet.

**Figure 5:** Encrypted data appended beyond
the `FF D9` JPEG End of File marker






3. HAMMERTOSS decrypts the image using a hard-coded key
appen ~~d~~ e ~~d~~ w ~~ith~~ ~~th~~ e c ~~h~~ arac ~~t~~ ers o ~~bt~~ a ~~i~~ ne ~~d~~ ~~f~~ rom ~~th~~ e ~~t~~ wee ~~t~~ ~~i~~ n ~~St~~ age ~~2~~ .


appended data is encrypted, so
even if detected, the investigator
would be unable to decrypt the
data without key material from
two sources: the malware binary
and the current tweet.

Indicative of APT29’s discipline,
the group ensures that if
network defenders discover


the images, the defenders still
require the malware sample,
corresponding Twitter handle,
and tweet with the additional
key material to decrypt the tool’s
instructions. All of the samples
we have observed have used
different encryption keys to
decrypt the appended content.

11


**STEGANOGRAPHY**


We have observed only a few
APT groups using steganography.
HAMMERTOSS uses
steganography by appending
data to an image file after the
image’s end of file marker. This
technique would be readily
detectable if someone was
checking for it. However, the


-----

**STAGE 5:**
Executing Commands and Uploading Victim Data

|Col1|APT29’s operator creates the cloud storage account and can obtain the victim’s data from the cloud storage service.|
|---|---|
|||






~~**Figure**~~ ~~**6:**~~ ~~Executing~~ ~~Commands~~ ~~and~~ ~~Removing~~ ~~Data~~

he encrypted data in the image may include
instructions to execute commands via
#### T PowerShell, execute a direct command or

file, or save an executable to disk and execute it.

In several cases, the commands directed
HAMMERTOSS to upload information from
victim networks to accounts on cloud storage
services using login credentials received in


Stage 4. In our GitHub example, the decrypted
data instructed the backdoor to obtain a list of

running tasks—reconnaissance on the victim
network—and upload it to a specific account on a
cloud storage service using the login credentials.
APT29 can then easily obtain the extracted
information from the cloud storage service at
their convenience.


12


-----

**CONCLUSION**
Difficulty Identifying Accounts, Discerning Legitimate
and Malicious Traffic, and Locating the Payload


AMMERTOSS undermines network

defenders’ ability to identify Twitter
#### H accounts used for CnC, discern malicious

network traffic from legitimate activity, and
locate the malicious payloads downloaded by
the malware.

 - Identifying daily potential Twitter accounts

requires network defenders to have access to
the associated HAMMERTOSS binary and to
reverse engineer it to identify the basename
and the algorithm used to create the potential
accounts. Monitoring malicious tweets from
these accounts is difficult as each sample is
capable of generating hundreds of potential
Twitter accounts annually, and APT29 may
only register a small number of those accounts
for CnC.

 - Employing legitimate web services that are

widely allowed in organizations’ networks—
some of which use Secure Sockets Layer
connections that ensure the communications

are encrypted—makes it harder for network
defenders to discern between malicious and

legitimate traffic.

 - Using steganography and varying the image size

makes the target payload—the image containing
the appended, encoded commands—less
predictable. Even if the network defenders are
able to predict or identify the target payloads,
they need the associated HAMMERTOSS
sample and relevant tweet containing the
related encryption key information to decrypt
the contents.


**APT29: AN ADAPTIVE AND DISCIPLINED**

**THREAT GROUP**

HAMMERTOSS illustrates APT29’s ability to adapt
quickly during operations to avoid detection and
removal. For example, if an organization blocks
access to GitHub, APT29 could easily redirect
HAMMERTOSS to download an image with
encrypted instructions from another website.
Similarly, if an organization starts monitoring
Twitter activity on their network, APT29 could
easily switch to using the *Uploader* variant of
HAMMERTOSS, which does not use Twitter and
communicates directly to a specified URL. If an
organization identifies the handle generation
algorithm and attempts to research old Twitter
accounts, tweets, or secondary URLs, APT29
could easily delete previously used accounts or the
locations where images were stored.

While each technique in HAMMERTOSS is not
new, APT29 has combined them into a single piece
of malware. Individually, each technique offers
some degree of obfuscation for the threat group’s
activity. In combination, these techniques make it
particularly hard to identify HAMMERTOSS or spot
malicious network traffic; determine the nature
and purpose of the binary; discern the malware’s
CnC method and predict its CnC accounts; capture
and decode second-stage CnC information; and
pinpoint and decrypt the image files containing
malware commands. This makes HAMMERTOSS

a powerful backdoor at the disposal of one of the
most capable threat groups we have observed.

13


-----

To download this or other

FireEye Threat Intelligence reports,

**visit** [: https://www.fireeye.com/reports.html](https://www.fireeye.com/reports.html)

[FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com |](mailto:info%40FireEye.com) **[www.fireeye.com](http://www.fireeye.com)**

© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of
FireEye, Inc. All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. SP.APT29.EN-US.072015


-----