In early 2015, we came across a backdoor, HAMMERTOSS, which is similarly designed to make it difficult for security professionals to detect and characterize the extent of APT29’s activity. The developers of HAMMERTOSS try to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS does this by using several commonly visited websites—Twitter, GitHub, and cloud storage services—to relay commands and extract data from victims.

HAMMERTOSS works by:

Retrieving commands via legitimate web services, such as Twitter and GitHub, or using compromised web servers for command and control (CnC),

Visiting different Twitter handles daily and automatically,

Using timed starts—communicating only after a specific date or only during the victim’s workweek,

Obtaining commands via images containing hidden and encrypted data, and

Extracting information from a compromised network and uploading files to cloud storage services.

APT29 is among the most capable groups that we track. While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts. In our report, we describe how HAMMERTOSS functions and how it demonstrates APT29’s capabilities.

FireEye products/services identify this activity as HAMMERTOSS within the user interfaces.

The complete report can be downloaded here.

FireEye is hosting a HAMMERTOSS webinar on August 25 with threat intelligence analysts, who will discuss the five stages of HAMMERTOSS, who APT29 is, and why this malware is so difficult to detect.