Home Malware Programs Backdoors HAMMERTOSS

HAMMERTOSS

Posted: August 11, 2015

Threat Metric

Threat Level: 8/10
Infected PCs: 30
First Seen: August 11, 2015
Last Seen: November 5, 2021
OS(es) Affected: Windows

HAMMERTOSS is a backdoor Trojan that uses social media services for obfuscating its attacks, which could allow HAMMERTOSS to bypass a variety of PC security solutions. Although HAMMERTOSS currently is most likely being utilized in campaigns against specific, corporate networks, its backdoor attacks also may affect personal-use computers and lead to the compromise of information. Extensive and redundant anti-malware scans should follow after any estimated HAMMERTOSS infection for deleting HAMMERTOSS, as well as related threats that may install themselves with HAMMERTOSS.

The Hammer Tweeted Straight Through Your Security

Although the backdoor Trojan known as HAMMERTOSS has a history throughout 2015, recent details of its campaign provided by FireEye have shown that this threat offers more to third parties than most Trojans. In a move that sidesteps standard security features on infected machines while also protecting the C&C infrastructure simultaneously, HAMMERTOSS uses interpreted images and text messages to coordinate its functions and attacks. Currently, HAMMERTOSS uses GitHub and Twitter for this purpose, although there's no hard barrier preventing HAMMERTOSS from switching to Facebook or other sites.

HAMMERTOSS scans specified Twitter accounts for relevant data, which include Web links and hashtags. The URLs contain links to GitHub images that use steganography to hide threatening data that requires interpretation by the further information (such as a decryption key) included in the hashtags. HAMMERTOSS also semi-randomizes which accounts are accessed and at what times. The overall effect is that HAMMERTOSS's C&C infrastructure is difficult to distinguish from standard tweeting activities.

HAMMERTOSS then uses this data to determine many of its attack functions. Malware experts can verify the following attacks, so far:

  • HAMMERTOSS may use PowerShell to launch threatening tasks.
  • HAMMERTOSS also may execute direct commands from the steganography-based data without utilizing the Windows PowerShell feature.
  • HAMMERTOSS may save files to your hard drive, including potential threats.
  • HAMMERTOSS may automatically launch files on your PC, including previously downloaded threats or default Windows components.
  • HAMMERTOSS also may upload data from your PC, such as account credentials. Like its main communications infrastructure, this function also exploits a benign Internet service: in this case, a cloud storage server.

Tossing HAMMERTOSS a Goodbye Message

Steganography isn't a new tactic for threats, and you also may see it in older threats than HAMMERTOSS like Stegoloader, Shady Rat and the Zberp Trojan. However, HAMMERTOSS's development, AP29, has gone to extreme lengths to exploit the strengths of this technique for the concealment of the Trojan's threatening activities. Ironically, the SSL protection used by many corporate and government networks for such communications could also protect HAMMERTOSS alongside with any benign data.

Malware researchers sometimes see instances of HAMMERTOSS being installed with other threats. These additional threats may include other backdoor Trojans with redundant, backup features for maintaining the degree of security compromise on the system. PC users concerned about this threat should reboot their computers in Safe Mode and use a trusted anti-malware tool to scan the system until it's deleted HAMMERTOSS and any related threats. As an infiltration and stealth-based Trojan, HAMMERTOSS does not generate tweets of its own or create any obvious, visible symptoms accompanying its attacks.

Loading...