How The Russian Abused Twitter as C&C in Hammertoss Malware? Python Answers

Today, we will replicate a technique which has been used by recent, sophisticated and hard to trace a Russian malware called Hammertoss.

Today, we will replicate a technique which has been used by recent, sophisticated and hard to trace a Russian malware called Hammertoss, the creators of this malware has abused multiple well-known sites like Twitter and Github to defeat modern firewalls and torture whoever tracing their tracks.

In a nutshell, instead of getting a direct reverse connection back to the C&C server similar to what traditional malware does, this smart malware will jump between third party servers to perform its malicious activity, please take two minutes and watch this[https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html/] short explanatory video from Fireeye so you will get a quick overview how the malware works.

Before the fun begins, I just want to mention that this code is a part of my new training course on Udemy called “Python for Offensive Pentest: A Complete Practical Course.”

All right, so the first stage of Hammertoss was to connect to a Twitter looking for a tweet created by the hackers which contains a URL for an image and hashtag as a part of the encryption key. Technically speaking, you don’t need to login into Twitter to parse someone’s tweet, so in this case, we just need to figure out the account URL to navigate and the HTML tags which contain the actual tweet, Keep in mind you can add other twitter accounts to hide the original one (which belongs to the hacker).

Obviously you should never your personal account while doing similar stuff, that’s why I created a new account holding my name and here’s is the link to my twitter home page:

https://twitter.com/HussamKhrais

Now from my Kali machine, I made a tweet saying “Hello from kali python” then I logged out, at this point once we click on the above URL, we should see something similar to this output

Now using your browser you can view the HTML source code of this page, in Chrome just do a right click anywhere in the page and select “View page source” or Ctrl+U for short, in the HTML if we search for our tweet, we will get the below HTML line:-

<meta name="description" content="The latest Tweets from Hussam Khrais (@HussamKhrais): &quot;Hello from kali python&quot;">

So technically if we code a simple script that will navigate to https://twitter.com/HussamKhrais

And retrieve the HTML page, then inside the HTML if we search for meta tag called name that has a value of description and asked for the value of content, then we should be able to grab our tweet.

Let’s translate this action to a code:-

fromBeautifulSoup import BeautifulSoup as soupy #1
importurllib #2
html = urllib.urlopen(‘https://twitter.com/HussamKhrais’).read() #3
soup = soupy(html) #4
x = soup.find(“meta”, {“name”:”description”})[‘content’] #5
print x #6

1# Import soupy function from BeautifulSoup library, we will use this function to search for the html tags

2# Import urllib which will be used to navigate to our twitter page and grab the html for us

3# Navigate to my twitter home page HussamKhrais, store the HTML page into html variable

4# Pass it to soupy function so we can parse it

5# Here we search for the HTML meta tags

6# Print the result out

The output for running the script would be

At this point, since we are only interested in having the string between the quotation marks, we can filter it out using regular expression, and that is exactly what the below script will do for us

importre
filter = re.findall(r'”(.*?)”‘,x)
tweet = filter[0]
print tweet

the “findall” function will grab the string between the ” ” and store it in a list data type called filter, finally we print the exact tweet.

After putting all the script pieces together, we got the below result

Please feel free to download the script and give it a try on your own tweet!

Now think about it for a second, can we use twitter to replace DDNS? Well, what will happen if we replace “Hello from kali python” with the attacker public IP, and each time the attacker IP changes, all what he needs to do is to send a tweet with the new IP to get the reverse connection for his victim!

A question for you…

After reading this article, do you think that can you code in Python a complete AV free remote shell and exfiltrate data without even having a single direct connection with your target? Please share your thoughts.

If you are interested on the topic you can go deeper following the course “Python For Offensive PenTest: A Complete Practical Course”

About the Author Hussam Khrais

Hussam Khrais is a senior security engineer with over 4 years in penetration testing, Python scripting and network security where he spends countless hours in forging custom hacking tools in Python.
Hussam currently holds the following certificates in information security:-
-GIAC Penetration Testing – GPEN
-Certified Ethical Hacker – CEH
-Cisco Certified Network Professional – Security (CCNP Security)

Edited by Pierluigi Paganini

(Security Affairs – Hammertoss, pyton)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.