The Russian threat groups that we monitor frequently cover their tracks to evade detection. One of these groups, APT29, has been particularly active throughout 2015, redoubling its efforts with new downloaders, payloads, and targets. Several of our colleagues in the security industry have published research exposing some of APT29’s recent activities.
In early 2015, we came across a backdoor, HAMMERTOSS, which is similarly designed to make it difficult for security professionals to detect and characterize the extent of APT29’s activity. The developers of HAMMERTOSS try to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS does this by using several commonly visited websites—Twitter, GitHub, and cloud storage services—to relay commands and extract data from victims.
HAMMERTOSS works by:
- Retrieving commands via legitimate web services, such as Twitter and GitHub, or using compromised web servers for command and control (CnC),
- Visiting different Twitter handles daily and automatically,
- Using timed starts—communicating only after a specific date or only during the victim’s workweek,
- Obtaining commands via images containing hidden and encrypted data, and
- Extracting information from a compromised network and uploading files to cloud storage services.
APT29 is among the most capable groups that we track. While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts. In our report, we describe how HAMMERTOSS functions and how it demonstrates APT29’s capabilities.
FireEye products/services identify this activity as HAMMERTOSS within the user interfaces.
The complete report can be downloaded here.