F I R E E Y E T H R E A T I N T E L L I G E N C E ##### HAMMERTOSS: ###### Stealthy Tactics Define a Russian Cyber Threat Group JULY 2015 S P E C I A L R E P O R T ## SECURITY ----- ###### HAMMERTOSS 3 APT29 5 Introducing HAMMERTOSS 6 Five Stages of HAMMERTOSS 6 Stage 1: The Communication Process Begins with Twitter 7 Figure 1: HAMMERTOSS calls out to a Twitter handle 7 Stage 2: Tweeting a URL, Minimum File Size of an Image, and Part of an Encryption Key 8 Figure 2: Learning the URL, image size, and encryption key 8 Figure 3: Twitter page for d3109c83e07dd5d7fe032dc80c581d08 9 Stage 3: Visiting GitHub to Download an Image 10 Figure 4: The active Twitter account in our sample contained a GitHub URL and a related GitHub page with image containing encrypted data 10 Stage 4: APT29 Employs Basic Steganography 11 Figure 5: Encrypted data appended beyond the FF D9 JPEG End of File marker 11 Stage 5: Executing Commands and Uploading Victim Data 12 Figure 6: Executing Commands and Removing Data 12 Conclusion 13 Difficulty Identifying Accounts, Discerning Legitimate and Malicious Traffic, and Predicting the Payload APT29: An Adaptive and Disciplined Threat Group 13 ----- ###### HAMMERTOSS he Russian cyber threat groups that we monitor frequently design innovative ways to cover their tracks. In early 2015, #### T we came across stealthy malware—which we call HAMMERTOSS—from an advanced persistent threat group that we suspect the Russian government sponsors. We designate this group APT29. Using a variety of techniques—from creating an algorithm that generates daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks. ###### Using a variety of techniques—from creating algorithms that generate daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. ----- ###### HAMMERTOSS works by: While none of these tactics are new, the combination of these techniques piqued our interest. ----- # APT29KALININGRAD TIME MOSCOW TIME SAMARA TIME YEKATERINBURG TIME OMSK TIME KRASNOYARSK TIME IRKUTSK TIME |KALININGRAD TIME|MOSCOW TIME|SAMARA TIME|YEKATERINBURG TIME|OMSK TIME|KRASNOYARSK TIME|IRKUTSK TIME|YAKUTSK TIME|VLADIVOSTOK TIME|SREDNEKOLYMSK TIME|KAMCHATKA TIME| |---|---|---|---|---|---|---|---|---|---|---| |||||||||||| |||||||||||| |(UTC + 02/MSK-1)|(UTC + 03/MSK)|(UTC + 04/MSK+1)|(UTC + 05/MSK+2)|(UTC + 06/MSK+3)|(UTC + 07/MSK+4)|(UTC + 08/MSK+5)|(UTC + 09/MSK+6)|(UTC + 10/MSK+7)|(UTC + 11/MSK+8)|(UTC + 12/MSK+9)| APT29 has been operating in its current form since at least late 2014. We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg. While other APT groups try to cover their tracks to thwart investigators, very few groups show the same discipline and consistency. Similarly, few groups display the ability to adapt to network defenders’ attempts to mitigate its activity or remove it from victim networks. For example, APT29 almost always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them. Likewise, the group appears to almost solely uses compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection. These aspects make APT29 one of the most capable APT groups that we track. ----- ###### INTRODUCING HAMMERTOSS e first identified HAMMERTOSS in early 2015. APT29 likely used #### W HAMMERTOSS as a backup for their two primary backdoors to execute commands and maintain access if the group’s principal tools were discovered. We have identified two HAMMERTOSS variants that give APT29 alternative ways to communicate with the malware. The developer appears to name these variants uploader and _tDiscoverer.[1] Both variants are written_ in the C# programming language. Each variant uses different methods to acquire CnC instructions, either by directly accessing a hard-coded website or accessing Twitter as an intermediary. - _Uploader is preconfigured to use a_ hard-coded server for its CnC. It goes to a specific URL to obtain an image with a specific file size. - _tDiscoverer uses an additional layer of_ obfuscation by first going to Twitter to obtain a CnC URL, before visiting the URL to acquire its target image. We will focus on tDiscoverer in this report. ###### Five Stages of HAMMERTOSS We have broken down the malware communication process into five stages to explain how the tool operates, receives instructions, and extracts information from victim networks. The stages include information on what APT29 does outside of the compromised network to communicate with HAMMERTOSS and a brief assessment of the tool’s ability to mask its activity. **2** TWEETS1 **1** **bobby** **Tweets** Tweet & replies @1abBob52b **bobby Follow @1abBob52b doctorhandbook.com #101docto[•] July 29** 2. HAMMERTOSS visits the associated Twitter account and looks for a tweet with a URL and a hashtag that indicates the location and minimum size of an image file. **3** 3. HAMMERTOSS visits the URL and obtains an **4** image. 4. The image looks normal, but actually contains hidden and encrypted data using **010111101101 111011011110** **Note: The images are** steganography. **010111101 10 010111101** stock photography and were not used by the HAMMERTOSS decrypts the group. hidden data to obtain commands. TWEETS ----- ###### STAGE 1: The Communication Process Begins with Twitter TWEETS **Figure 1: HAMMERTOSS calls out to a Twitter handle** |3a. APT29’s ope the handle. HAMMERTOSS Twitter page and tweet that provid on the next phas|rator registers goes to the looks for a es instructions e of the process.| |---|---| ||| |3b. APT29’s operator does not register the handle. HAMMERTOSS waits until the next day to begin the process again.|| AMMERTOSS first looks for instructions on Twitter. The malware contains an ### H algorithm that generates a daily Twitter handle, which is an account user ID. To create the handles, the algorithm employs a basename, such as “Bob,” and appends and prepends three CRC32 values based on the date. For example, “1abBob52b” would have the URL: hxxps://twitter.com/1abBob52b. Each HAMMERTOSS sample will create a different Twitter handle each day. APT29 knows the algorithm used to generate the handles and chooses to register a Twitter handle and post obfuscated instructions to the handle’s URL before the malware attempts to query it. If a particular day’s handle is not registered and the URL for that day is not found, HAMMERTOSS will wait until the next day to attempt to communicate with another handle. APT29 typically configures HAMMERTOSS to communicate within certain restrictions, such as only checking the Twitter handle on weekdays or after a specified start date. This allows the malware to blend in to “normal” traffic during the victim’s work week or to remain dormant for a period of time before activating. ----- ###### STAGE 2: Tweeting a URL, Minimum File Size of an Image, and Part of an Encryption Key If APT29’s operator has registered that particular day’s handle, he will tweet a URL and hashtag. TWEETS ###### 1 bobby Tweets Tweet & replies @1abBob52b **bobby @1abBob52b [•] July 29** Follow doctorhandbook.com #101docto URL: In the case above, the tweet instructs HAMMERTOSS to download the content hosted at the specified URL, including any f APT29 has registered that day’s Twitter handle, images on the page. In the they will tweet a URL and a hashtag. The URL example we will discuss later, Hashtag: The tweet also directs HAMMERTOSS to a webpage containing the tweet included a URL on contains a hashtag with **I** GitHub. information to allow an image or images. The hashtag provides a number HAMMERTOSS to extract representing a location within the image file and encrypted instructions from an image file. The hashtag characters for appending to an encryption key indicates that the hidden to decrypt instructions within the image. In the data is offset 101 bytes mockup of a HAMMERTOSS tweet in Figure 2, into the image file and the characters to be used for the hashtag was #101docto, indicating that the decryption are docto. encrypted data begins at an offset of 101 bytes into the image file, and the characters docto should be added to the encryption key to decrypt the data. Using Twitter as an intermediary to deliver the **Figure 2: Learning the URL, image size, and encryption key** second-stage CnC to HAMMERTOSS allows APT29 to dynamically direct the tool. ----- In Figure 3 is a sample of the HAMMERTOSS tDiscoverer variant and a corresponding snapshot of a Twitter account page from one of its generated handles. At the time of publication, a publicly available HAMMERTOSS sample had only five generic detections in VirusTotal. The Twitter account was active and contained a link to a website. |MD5:|d3109c83e07dd5d7fe032dc80c581d08 (VirusTotal)| |---|---| |SHA1:|42e6da9a08802b5ce5d1f754d4567665637b47bc| |Timing Behavior:|Communicate on weekdays only after April 3, 2015| |Active Twitter Handle:|twitter[.]com/3c6Diallo7f0 (Figure 3 below)| |Tweeted URL, Hashtag:|hxxp://www[.]doctorhandbook[.]com, #101docto| |Detection Ratio:|5/56| |Metadata:|| **Figure 3: Twitter page for d3109c83e07dd5d7fe032dc80c581d08** ###### HIDING AMONG UNREGISTERED TWITTER ACCOUNTS AMMERTOSS uses an algorithm to generate hundreds of Twitter #### H handles annually for potential CnC. Many of these are unregistered, as APT29 chooses to register a particular day’s handle as needed and ahead of an anticipated HAMMERTOSS beacon. This small number of registered accounts allows the group to maintain a small footprint. Other tools use Twitter to relay instructions, including:[2] - MiniDuke, a Windows-based backdoor that is a suspected Russian tool - the Sninfs botnet - Flashback, a Mac-based backdoor MiniDuke behaves similarly to HAMMERTOSS by not only using Twitter for CnC, but also by downloading image files containing encrypted, appended content. 2“Miniduke still duking it out.” ESET Security. 20 May 2014. http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/ Balazs, Biro, Christian Istrate, and Mairus Tivaradar. A Closer Look at MiniDuke. BitDefender. 2013. http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf. James, Peter. Flashback Mac Malware Uses Twitter as Command and Control Center. Intego’s The Mac Security Blog. 5 March 2012. http://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center. Coogan, Peter. “Twittering Botnets.” Symantec Security Blog. 14 Aug 2009. http://www.symantec.com/connect/blogs/twittering-botnets. Kessler, Michelle. “Hackers harness Twitter to do their dirty work.” USA Today. 17 August 2008. http://content.usatoday.com/communities/technologylive/post/2009/08/68497133/1#.VbJVi4q9_Vs. ----- ###### STAGE 3: Visiting GitHub to Download an Image |Col1|APT29’s operator registers a GitHub page and uploads an image.| |---|---| ||| **Figure 4: The URL specified in the tweet (in this case, a GitHub page)** contains an image with appended and encrypted data AMMERTOSS then uses the InternetExplorer. ``` Application COM Object to visit the URL specified in ``` a tweet. We have observed URLs lead to specific GitHub #### H accounts or compromised websites. We will use Github for the next part in our example. Once HAMMERTOSS obtains the GitHub URL from its daily Twitter account, it visits the URL and downloads the contents of the page, including any image files. ----- ###### STAGE 4: APT29 Employs Basic Steganography 1. HAMMERTOSS downloads the image from the specified URL, retrieves the image **1** from Internet Explorer’s browser cache, and begins the process of decryption. AMMERTOSS downloads the contents of the website to Internet Explorer’s browser cache #### H and searches the cache for any images **010111101101 111011011110 3** **010111101** at least as large as the offset specified in **10 010111101** the tweet from Stage 2. While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file. In this case, the image contains appended and encrypted data that HAMMERTOSS will decrypt and execute. The data may include commands or login credentials to 3. HAMMERTOSS decrypts the image using a hard-coded key upload a victim’s data to a cloud storage appended with the characters obtained from the tweet in Stage 2. service. HAMMERTOSS locates the encrypted data at the offset specified in the tweet in Stage 2. It decrypts the data End of File Marker using a key comprised of hard-coded data from the malware binary appended with the characters from the tweet. **010111101101 3** **111011011110** **010111101** **10 010111101** **Figure 5: Encrypted data appended beyond** the FF D9 JPEG End of File marker ###### End of File Marker ###### APT29 ADDING STEGANOGRAPHY AS ANOTHER LAYER OF OBFUSCATION We have observed only a few APT groups using steganography. HAMMERTOSS uses steganography by appending data to an image file after the image’s end of file marker. This technique would be readily detectable if someone was checking for it. However, the appended data is encrypted, so even if detected, the investigator would be unable to decrypt the data without key material from two sources: the malware binary and the current tweet. Indicative of APT29’s discipline, the group ensures that if network defenders discover the images, the defenders still require the malware sample, corresponding Twitter handle, and tweet with the additional key material to decrypt the tool’s instructions. All of the samples we have observed have used different encryption keys to decrypt the appended content. **Figure 5:** the FF D9 ###### APT29 ADDING OF OBFUSCATION ----- ###### STAGE 5: Executing Commands and Uploading Victim Data |Col1|APT29’s operator creates the cloud storage account and can obtain the victim’s data from the cloud storage service.| |---|---| ||| **1** **Figure 6: Executing Commands and Removing Data** **1** **2** 2. HAMMERTOSS is capable of uploading victim data to a cloud storage service. he encrypted data in the image may include instructions to execute commands via PowerShell, execute a direct command or #### T file, or save an executable to disk and execute it. In several cases, the commands directed HAMMERTOSS to upload information from victim networks to accounts on cloud storage services using login credentials received in Stage 4. In our GitHub example, the decrypted data instructed the backdoor to obtain a list of running tasks—reconnaissance on the victim network—and upload it to a specific account on a cloud storage service using the login credentials. APT29 can then easily obtain the extracted information from the cloud storage service at their convenience. ----- ###### CONCLUSION Difficulty Identifying Accounts, Discerning Legitimate and Malicious Traffic, and Locating the Payload AMMERTOSS undermines network defenders’ ability to identify Twitter accounts used for CnC, discern malicious #### H network traffic from legitimate activity, and locate the malicious payloads downloaded by the malware. - Identifying daily potential Twitter accounts requires network defenders to have access to the associated HAMMERTOSS binary and to reverse engineer it to identify the basename and the algorithm used to create the potential accounts. Monitoring malicious tweets from these accounts is difficult as each sample is capable of generating hundreds of potential Twitter accounts annually, and APT29 may only register a small number of those accounts for CnC. - Employing legitimate web services that are widely allowed in organizations’ networks— some of which use Secure Sockets Layer connections that ensure the communications are encrypted—makes it harder for network defenders to discern between malicious and legitimate traffic. - Using steganography and varying the image size makes the target payload—the image containing the appended, encoded commands—less predictable. Even if the network defenders are able to predict or identify the target payloads, they need the associated HAMMERTOSS sample and relevant tweet containing the related encryption key information to decrypt the contents. ###### APT29: AN ADAPTIVE AND DISCIPLINED THREAT GROUP HAMMERTOSS illustrates APT29’s ability to adapt quickly during operations to avoid detection and removal. For example, if an organization blocks access to GitHub, APT29 could easily redirect HAMMERTOSS to download an image with encrypted instructions from another website. Similarly, if an organization starts monitoring Twitter activity on their network, APT29 could easily switch to using the Uploader variant of HAMMERTOSS, which does not use Twitter and communicates directly to a specified URL. If an organization identifies the handle generation algorithm and attempts to research old Twitter accounts, tweets, or secondary URLs, APT29 could easily delete previously used accounts or the locations where images were stored. While each technique in HAMMERTOSS is not new, APT29 has combined them into a single piece of malware. Individually, each technique offers some degree of obfuscation for the threat group’s activity. In combination, these techniques make it particularly hard to identify HAMMERTOSS or spot malicious network traffic; determine the nature and purpose of the binary; discern the malware’s CnC method and predict its CnC accounts; capture and decode second-stage CnC information; and pinpoint and decrypt the image files containing malware commands. This makes HAMMERTOSS a powerful backdoor at the disposal of one of the most capable threat groups we have observed. ----- ###### To download this or other FireEye Threat Intelligence reports, visit: https://www.fireeye.com/reports.html [FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com](mailto:info%40FireEye.com) © 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. SP.APT29.EN-US.072015 -----