The espionage gang behind the MiniDuke backdoor uncovered by Kaspersky Lab and CrySys Lab in 2013 has surfaced again with a new backdoor and attack platform that is used sparingly against only high-value targets.
The new data theft tool, called Hammertoss, is a study not only in espionage capabilities, but also stealth and targeting. It’s been found so far only on one organization’s network, and has been linked to a Russian group dubbed APT29 by researchers at FireEye.
Once APT29 has access to a target network and deems it worthy, it deploys Hammertoss, which communicates through URLs seeded in social media accounts—Twitter in particular—and makes use of steganography in images stored on GitHub or compromised websites to retrieve encrypted instructions.
“MiniDuke and other tools that have been outed recently are part of the same toolkit,” said Jen Weedon, manager of threat intelligence at FireEye. “It’s unique, and considerably more complicated and layered in its approach. They will use Hammertoss when other tools don’t work.
“We also think Hammertoss is only leveraged against critical targets,” Weedon added. “The actors seem selective in using it versus other tools that are deployed more widely.”
While FireEye would not disclose the lone Hammertoss victim or its industry, past MiniDuke targets have been concentrated among Western and European government agencies and foreign policy organizations and the attackers seem to thirst for strategic political intelligence. FireEye makes the link to the Russian government, based on not only how the targets map to state interests, but also on how most attacks take place during the UTC+3 time zone corresponding to the Russian work day, and downtime occurring around Russian holidays.
Hammertoss was spotted in early 2015 during an investigation, and was part of a broader intrusion, FireEye said, adding that it has discovered another less-complicated variant that provides APT29 with two options for communicating with the attack group.
“This exemplifies how innovative these APT groups are becoming,” Weedon said. “It’s unique in its ability to lay low, and thwart defenses.”
Probably the more intriguing of the variants is called tDiscoverer, which uses a custom algorithm to generate Twitter handles which the malware checks once active; the handle is registered manually before the malware reaches out.
The malware is looking for a tweet posted to that account that includes a URL and a hashtag that is made up of an approximate image size and the encryption key. For example, FireEye said a tweet could read “Follow doctorhandbook[.]com #101docto” which would tell the backdoor to look for an image at that URL that is 101 bytes in size and the encryption key is “docto.”
FireEye said it observed URLs leading to GitHub accounts, as well as compromised websites. Once it grabs the image and decrypts the appended data with the encryption key, Hammertoss will get its next instruction, and in some cases, log-in credentials for cloud storage services where stolen data is to be sent.
“When you look at the flow, from Twitter to GitHub to cloud storage, from a defender’s perspective, that’s not going to look malicious,” said Jordan Berry, threat intelligence analyst at FireEye. “We’ve seen all of these tactics employed before, but a combination of them all like this, we have not observed that before. They’ve taken all of these steps and malware development capabilities and put them into one sample.”
For defenders, the many layers to this campaign make it difficult to contend with. The group is agile enough to instruct the tool to download images from other locations if Twitter or GitHub access is denied by an enterprise, or go back to using the first variant Uploader, which grabs instructions from a predetermined command server. FireEye added that it observed new versions of the malware and backdoor deployed as bug fixes and new features were added, or counters to detection were needed.
“This tool is a great example of innovation in stealth and how threat actors are evolving,” Weedon said. “In this case, there’s no compromised infrastructure to look for and block because they created their own workaround.”