Posted: August 11, 2015
Threat Metric
Threat Level: 8/10
Infected PCs 14

HAMMERTOSS Description

HAMMERTOSS is a backdoor Trojan that uses social media services for obfuscating its attacks, which could allow HAMMERTOSS to bypass a variety of PC security solutions. Although HAMMERTOSS currently is most likely being utilized in campaigns against specific, corporate networks, its backdoor attacks also may affect personal-use computers and lead to the compromise of information. Extensive and redundant anti-malware scans should follow after any estimated HAMMERTOSS infection for deleting HAMMERTOSS, as well as related threats that may install themselves with HAMMERTOSS.

The Hammer Tweeted Straight Through Your Security

Although the backdoor Trojan known as HAMMERTOSS has a history throughout 2015, recent details of its campaign provided by FireEye have shown that this threat offers more to third parties than most Trojans. In a move that sidesteps standard security features on infected machines while also protecting the C&C infrastructure simultaneously, HAMMERTOSS uses interpreted images and text messages to coordinate its functions and attacks. Currently, HAMMERTOSS uses GitHub and Twitter for this purpose, although there's no hard barrier preventing HAMMERTOSS from switching to Facebook or other sites.

HAMMERTOSS scans specified Twitter accounts for relevant data, which include Web links and hashtags. The URLs contain links to GitHub images that use steganography to hide threatening data that requires interpretation by the further information (such as a decryption key) included in the hashtags. HAMMERTOSS also semi-randomizes which accounts are accessed and at what times. The overall effect is that HAMMERTOSS's C&C infrastructure is difficult to distinguish from standard tweeting activities.

HAMMERTOSS then uses this data to determine many of its attack functions. Malware experts can verify the following attacks, so far:

  • HAMMERTOSS may use PowerShell to launch threatening tasks.
  • HAMMERTOSS also may execute direct commands from the steganography-based data without utilizing the Windows PowerShell feature.
  • HAMMERTOSS may save files to your hard drive, including potential threats.
  • HAMMERTOSS may automatically launch files on your PC, including previously downloaded threats or default Windows components.
  • HAMMERTOSS also may upload data from your PC, such as account credentials. Like its main communications infrastructure, this function also exploits a benign Internet service: in this case, a cloud storage server.

Tossing HAMMERTOSS a Goodbye Message

Steganography isn't a new tactic for threats, and you also may see it in older threats than HAMMERTOSS like Stegoloader, Shady Rat and the Zberp Trojan. However, HAMMERTOSS's development, AP29, has gone to extreme lengths to exploit the strengths of this technique for the concealment of the Trojan's threatening activities. Ironically, the SSL protection used by many corporate and government networks for such communications could also protect HAMMERTOSS alongside with any benign data.

Malware researchers sometimes see instances of HAMMERTOSS being installed with other threats. These additional threats may include other backdoor Trojans with redundant, backup features for maintaining the degree of security compromise on the system. PC users concerned about this threat should reboot their computers in Safe Mode and use a trusted anti-malware tool to scan the system until it's deleted HAMMERTOSS and any related threats. As an infiltration and stealth-based Trojan, HAMMERTOSS does not generate tweets of its own or create any obvious, visible symptoms accompanying its attacks.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to HAMMERTOSS may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.