APT 29 use Twitter to control its Hammertoss data stealer

Experts at FireEye discovered a new APT group dubbed APT 29 that is exploiting Twitter to mask the activities of their data-stealer malware.

Experts at FireEye uncovered a group of alleged Russian hackers, dubbed APT 29, that is exploiting Twitter to mask the activities of their data-stealer malware.

The hackers belonging to the APT 29 exploited Twitter in order to send commands to their malware, but according to the researchers from FireEye, the crew has improved its technique making hard the detection of its activities.

The experts at FireEye discovered that the APT 29 used a specific strain of malware dubbed Hammertoss, which has infected the systems of one of the company customers.

APT 29 has taken several steps to try to mask its communication with Hammertoss to avoid detection, according to a new report.

Hammertoss implements an algorithm that generates new Twitter handles every day, in this way the C&C server can communicate with Hammertoss by using specific Twitter accounts managed by the APT 29.

We have already discovered in the past threat actors using Twitter and other social media as Command and Control systems, the technique results very effective because many companies are unlikely to block outbound connections the social media platforms.

“Using a variety of techniques—from creating an algorithm that generates daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks.” states the report from FireEye.

The hackers include the command for Hammertoss instances in a tweet containing a URL and a hashtag. The URL leads to an image on a different server that contains data hidden through a steganographic technique.

The hashtag is used to encode the file size of the image and a few characters that should be added to the decryption key stored within Hammertoss in order to allow the extraction of the hidden data.

“The HAMMERTOSS backdoor generates and looks for a different Twitter handle each day. It uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page. If the threat group has not registered that day’s handle, HAMMERTOSS will wait until the next day and look for a different handle” continues the report.

The experts noticed that APT 29 adopted several techniques to remain under the radar, for example Hammertoss is usually only active during the normal working day for infected organization, in this way the malicious traffic results quite difficult to detect.

The experts attributed Hammertoss to Russian hackers because it appears to be active during normal working hours in Moscow. The APT 29 did not work on Russian holidays.

Who are the targets of the APT 29 hacking campaigns?

Experts from FireEye speculate that APT 29 is primarily focused on compromising government organizations and collecting geopolitical information related to Russia, a circumstance that lead them to believe that it is a state-sponsored group.

“That’s why we believe they are in some way associated with the Russian government or working with Russia,” concludes the report.

Pierluigi Paganini

(Security Affairs – APT 29,  state-sponsored hackers)