Russian attackers are using a malware tool that helps them hide within legitimate network traffic by leveraging common web services, researchers said.
The malicious backdoor, named “HAMMERTOSS” by FireEye researchers, first came to light by the security firm earlier this year and a Russian APT group is using it to relay commands and extract data from compromised targets.
The bad guys behind HAMMERTOSS is APT29, a group FireEye said is “one of the most capable” threat groups they track.
The malware communication process used by HAMMERTOSS could break down into several stages to explain how the tool operates, receives instructions, and extracts information from a victim’s network, FireEye researchers said.
The first stage leverages Twitter, and utilizes specific accounts created by a predictable algorithm and changed daily.
In the second stage, the malware looks for a tweet containing a URL and a hashtag. The URL will direct the malware implant to download an image.
The third stage downloads the image as directed by the tweet, which contains appended and encrypted data at the end of the file and has instructions for the malware.
While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file, FireEye’s report said.
The malware then uses PowerShell to execute command on the compromised host and send that information to a cloud storage provider.
Click here for FireEye’s Hammertoss report.