Hammertoss: The Russian Government Malware that Uses Twitter to Steal Information

Antivirus software can’t find every malware program on your computer or device. This does not mean you shouldn’t use it, only that all malware detection software has limitations. Good malware designers know this and know how to hide their exploits so they don’t expose themselves. Your device might be working perfectly well and still have undetectable malware on it. The malware developers may be silently watching your activity so that they can deploy the malware at the right moment.

But not only malware designers may be watching your computer use. If you are on a network, such as a company network, your IT department may be watching everything that you do on your device. When you take time out of your work day to watch YouTube videos, they will know it. They can arrange it so that your device sends them a log of your activities that they can look through at their leisure. There is nothing illegal about a company doing this. It falls under the general term of ’employee internet management’ and most firms do it because most employees spend at least part of their day doing non-work related activities. Trying to hide personal activities by using encryption or VPNs only shows your employer that you are probably engaging in such activities.

Now, imagine malware that pretends to act just like you. That is, it does activities that you would normally do on your computer or online so that nothing unusual can be detected by software or administrators when they look through your logs. That’s kind of what the Russian government’s Hammertoss malware does.

So let’s suppose that somehow Hammertoss has been installed on your computer. Generally, Hammertoss is looking for high profile targets because its goal is to steal information. However, no matter how low a level employee you may be, if you are connected to an important network, you could qualify as a high profile target.

Here’s what Hammertoss will do if it is on your computer. Each day, it will contact a different Twitter account. This account name is generated by the malware itself using an algorithm it contains. However, the controllers know the algorithm and know what account name will be generated on each day because the algorithm uses the date to help create the Twitter account name. So, in advance, the controllers have opened an account in the predetermined name. Here, they place a tweet with instructions for the malware. When the malware visits the new Twitter account name that it generated, it will look for instructions on what to do next. On some days there are in instructions and some days there are not. The malware is also designed to visit the Twitter account only during normal working hours. This makes it look like normal user activity.

If the day’s account is active, the malware will find instructions in the form of an URL and a hashtag as in the following image provided by FireEye.

hammer tweet

The malware will, then, visit the URL and download any images on that page. The hashtag indicates what method should be used to decrypt the data in the image file.

Hiding information within an image is called, steganography. (See my post on How Terrorists Communicate for more information.)

The information hidden in the image is code telling the malware what to do next. Often, the instruction is to upload stolen information to cloud storage. Login credentials for the cloud storage site will be included in the encrypted code. Thus, no suspicious files for storage are created on the infected device. The malware remains undetected and continues performing its daily tasks. Keep in mind that these tasks could include anything from penetrating the network to steal sensitive information, installing keyloggers to read passwords, or encrypting a company’s data to start a ransomware attack.

The Raytheon Connection

 Raytheon hammer

 The CIA’s Umbrage team analyzes malware that it finds in the wild and determines whether any of the malware’s components can be gleaned for their own uses. Apparently, Raytheon’s Blackbird Technologies worked with the CIA in analyzing some of this malware and Hammertoss was one of the malware packages it assessed.

FireEye claims that it first identified Hammertoss in early 2015. Raytheon acquired Blackbird Technologies in November of 2014. FireEye probably alerted the CIA of its find and the CIA handed the malware over to Raytheon to determine whether it had any useful components. The only way we learned of this cooperation between the CIA and Raytheon is because the information was included as part of Wikileak’s Vault7 releases.

Raytheon’s analysis found the malware interesting in its use of social media as a control and command center. It also suggested that the CIA develop an algorithm to generate Twitter handles similar to that used in Hammertoss.

A recent study found that up to 48 million Twitter accounts may be fake. In such a case, it is unlikely that the daily accounts generated by Hammertoss would be discovered and removed before they were used unless Twitter or the CIA had control of the algorithm that generated these account names. Even if they did, the Russian group in control of this malware (APT29) could easily tweak it to form accounts with different names. GitHub was another site that held images with hidden code. It might be thought that a company blocking employees from accessing this site would solve the problem; however, it is more likely that the malware could pre-determine which sites are allowed to be accessed on a network. If this is the case, the malware could simply direct victims to allowed sites to perform its work. Companies and organizations would have to block access to sensitive information stored on its networks with other types of architecture, such as using hardware separation on endpoints, which is not dependent on the analysis of logs to ascertain abnormal computer use.

As attackers get better at hiding malware on devices, non-tradition malware detection and intrusion prevention must be added to the growing number of security layers on any network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s