Threat Management, Malware

HAMMERTOSS malware represents culmination of ‘best practices’ for cyber attackers

In only a year, a Russian Advanced Persistent Threat (APT) group has proven to exemplify the future of cyber threats. It's only a matter of time, FireEye researchers warned, until the group's tactics make their way over to the cybercrime underworld.

The group, known as APT29, uses a new malware called HAMMERTOSS to maintain a covert presence in victims' systems, FireEye wrote in its report on the malware. Often times, the company's staff told, the malware is used as a last effort, or “the big gun,” when other tools cease working.

Its two variants rely on multiple tactics to remain hidden and successful; it's a hodgepodge of techniques pieced together.

FireEye broke the malware down into five stages to explain how it receives commands to then extract information from a victim's network. To start, the malware generates a different Twitter handle every day for each backdoor created. The handle is chosen through a specified algorithm, and by knowing these rules, the perpetrators can post to the accounts.

HAMMERTOSS looks for this programmed handle to receive instructions every day, which, if all functions correctly, the people behind the malware will have posted a tweet with a URL and a hashtag.

The URL directs the malware to a webpage containing an image, and the hashtag offers a number that represents a location within the image file and characters for appending to an encryption key in order to decrypt instructions embedded in the image.

When viewing the URL, HAMMERTOSS opts to use the InternetExplorer.Application COM Object to visit it, and often times, it leads to specific GitHub accounts or compromised websites.

Once at the desired website, the malware downloads the contents of the page, including image files. It's within these image files that the malware finds encrypted data it will decrypt and execute. The data could include instructions to execute commands via PowerShell, execute a direct command or file, or save an executable to disk and execute it.

In other cases, the malware is instructed to upload information from a victim's network to accounts on cloud storage services using logins it gathered from downloading the website's contents.

“This is a perfect example of a combination of best practices for bad guys who are trying to thwart defenses and researchers,” said Jen Weedon, manager, threat intelligence at FireEye, in an interview with

While the group currently targets entities pertaining to Russian interests, such as Western European governments, foreign policy groups and other organizations with valuable information for the country, it doesn't mean others won't create similar attacks with separate goals.

Weedon's colleague, Jordan Berry, threat intelligence analyst at FireEye, noted it could signal the beginning of a trend in cybercrime.

“As we've seen so often with Advanced Persistent Threats, where they go, the cybercriminals often follow,” Berry said.

As far as prevention, Weedon stressed consistent internal monitoring as opposed to a sole focus on preventing attacks, as networks impacted by HAMMERTOSS were already often already compromised.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.