HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group S P E C I A L R E P O R T SECURITY REIMAGINED F I R E E Y E T H R E A T I N T E L L I G E N C E JULY 2015 HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 22 CONTENTS HAMMERTOSS 3 APT29 5 Introducing HAMMERTOSS 6 Five Stages of HAMMERTOSS 6 Stage 1: The Communication Process Begins with Twitter 7 Figure 1: HAMMERTOSS calls out to a Twitter handle 7 Stage 2: Tweeting a URL, Minimum File Size of an Image, and Part of an Encryption Key 8 Figure 2: Learning the URL, image size, and encryption key 8 Figure 3: Twitter page for d3109c83e07dd5d7fe032dc80c581d08 9 Stage 3: Visiting GitHub to Download an Image 10 Figure 4: The active Twitter account in our sample contained a GitHub URL and a related GitHub page with image containing encrypted data 10 Stage 4: APT29 Employs Basic Steganography 11 Figure 5: Encrypted data appended beyond the FF D9 JPEG End of File marker 11 Stage 5: Executing Commands and Uploading Victim Data 12 Figure 6: Executing Commands and Removing Data 12 Conclusion 13 Difficulty Identifying Accounts, Discerning Legitimate and Malicious Traffic, and Predicting the Payload APT29: An Adaptive and Disciplined Threat Group 13   HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 3333 Using a variety of techniques—from creating algorithms that generate daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. T he Russian cyber threat groups that we monitor frequently design innovative ways to cover their tracks. In early 2015, we came across stealthy malware—which we call HAMMERTOSS—from an advanced persistent threat group that we suspect the Russian government sponsors. We designate this group APT29. Using a variety of techniques—from creating an algorithm that generates daily Twitter handles to embedding pictures with commands—the developers behind HAMMERTOSS have devised a particularly effective tool. APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks. HAMMERTOSS 4 HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 1. Retrieving commands via legitimate web services, such as Twitter and GitHub, or using compromised web servers for command-andcontrol (CnC). 2. Visiting different Twitter handles daily and automatically. 3. Using timed starts— communicating after a specific date or only during the victim’s workweek. 4. Obtaining commands via images containing hidden and encrypted data. 5. Extracting informationfrom acompromised networkand uploadingfiles tocloudstorage services. While none of these tactics are new, the combination of these techniques piqued our interest. HAMMERTOSS works by: HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 55 APT29 has been operating in its current form since at least late 2014. We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg. While other APT groups try to cover their tracks to thwart investigators, very few groups show the same discipline and consistency. APT29 Similarly, few groups display the ability to adapt to network defenders’ attempts to mitigate its activity or remove it from victim networks. For example, APT29 almost always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them. Likewise, the group appears to almost solely uses compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection. These aspects make APT29 one of the most capable APT groups that we track. (UTC + 02/MSK-1) (UTC + 10/MSK+7)(UTC + 09/MSK+6)(UTC + 08/MSK+5)(UTC + 07/MSK+4)(UTC + 06/MSK+3)(UTC + 05/MSK+2)(UTC + 04/MSK+1)(UTC + 03/MSK) (UTC + 11/MSK+8) (UTC + 12/MSK+9) KALININGRAD TIME MOSCOW TIME YEKATERINBURG TIME OMSK TIME KRASNOYARSK TIME IRKUTSK TIME YAKUTSK TIME VLADIVOSTOK TIME SREDNEKOLYMSK TIME SAMARA TIME KAMCHATKA TIME HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 66 4. The image looks normal, but actually contains hidden and encrypted data using steganography. HAMMERTOSS decrypts the hidden data to obtain commands. W e first identified HAMMERTOSS in early 2015. APT29 likely used HAMMERTOSS as a backup for their two primary backdoors to execute commands and maintain access if the group’s principal tools were discovered. We have identified two HAMMERTOSS variants that give APT29 alternative ways to communicate with the malware. The developer appears to name these variants uploader and tDiscoverer.1 Both variants are written in the C# programming language. Each variant uses different methods to acquire CnC instructions, either by directly accessing a hard-coded website or accessing Twitter as an intermediary. • Uploader is preconfigured to use a hard-coded server for its CnC. It goes to a specific URL to obtain an image with a specific file size. • tDiscoverer uses an additional layer of obfuscation by first going to Twitter to obtain a CnC URL, before visiting the URL to acquire its target image. INTRODUCING HAMMERTOSS We will focus on tDiscoverer in this report. Five Stages of HAMMERTOSS We have broken down the malware communication process into five stages to explain how the tool operates, receives instructions, and extracts information from victim networks. The stages include information on what APT29 does outside of the compromised network to communicate with HAMMERTOSS and a brief assessment of the tool’s ability to mask its activity. 1 The “tDiscoverer” variants were originally named “tDiscoverer.exe,” and the “Uploader” variants had a debug path containing “uploader.pdb.” 3. HAMMERTOSS visits the URL and obtains an image. 5. HAMMERTOSS processes the decrypted commands, which may instruct the malware to conduct reconnaissance, execute commands via PowerShell, or upload data to a cloud storage service. Note: The images are stock photography and were not used by the group. 1. The HAMMERTOSS backdoor generates and looks for a different Twitter handle each day. It uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page. If the threat group has not registered that day’s handle, HAMMERTOSS will wait until the next day and look for a different handle. 2. HAMMERTOSS visits the associated Twitter account and looks for a tweet with a URL and a hashtag that indicates the location and minimum size of an image file. 1 2 3 5 010111101101 111011011110 010111101 10 010111101 4 bobby @1abBob52b TWEETS 1 Tweets Tweet & replies bobby @1abBob52b • July 29 Follow doctorhandbook.com #101docto HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 77 STAGE 1: The Communication Process Begins with Twitter H AMMERTOSS first looks for instructions on Twitter. The malware contains an algorithm that generates a daily Twitter handle, which is an account user ID. To create the handles, the algorithm employs a basename, such as “Bob,” and appends and prepends three CRC32 values based on the date. For example, “1abBob52b” would have the URL: hxxps://twitter.com/1abBob52b. Each HAMMERTOSS sample will create a different Twitter handle each day. APT29 knows the algorithm used to generate the handles and chooses to register a Twitter handle and post obfuscated instructions to the handle’s URL before the malware attempts to query it. If a particular day’s handle is not registered and the URL for that day is not found, HAMMERTOSS will wait until the next day to attempt to communicate with another handle. APT29’s operator chooses to register a particular day’s Twitter handle using the same algorithm ahead of the anticipated communication. Figure 1: HAMMERTOSS calls out to a Twitter handle 1 2 3 APT29 typically configures HAMMERTOSS to communicate within certain restrictions, such as only checking the Twitter handle on weekdays or after a specified start date. This allows the malware to blend in to “normal” traffic during the victim’s work week or to remain dormant for a period of time before activating. 3a. APT29’s operator registers the handle. HAMMERTOSS goes to the Twitter page and looks for a tweet that provides instructions on the next phase of the process. 1. HAMMERTOSS contains an algorithm that generates Twitter handles telling the malware to visit a specific Twitter handle on a specific day. A Twitter handle is a user ID associated with Twitter’s website. For instance, FireEye’s Twitter handle, @FireEye, has a URL: https://www.twitter.com/ fireeye. The HAMMERTOSS algorithm uses a basename, like “Bob,” and appends and prepends three CRC32 values based on the current date. An example, may be 1abBob52b, which would have the URL: hxxps://www. twitter.com/1abBob52b. 2. HAMMERTOSS visits the Twitter URL related to its daily Twitter handle. For instance, on July 29, it may look for a handle 1abBob52b (hxxps://twitter. com/1abBob52b). 3b. APT29’s operator does not register the handle. HAMMERTOSS waits until the next day to begin the process again. bobby @1abBob52b TWEETS 1 Tweets Tweet & replies bobby @1abBob52b • July 29 Follow doctorhandbook.com #101docto HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 88 Figure 2: Learning the URL, image size, and encryption key I f APT29 has registered that day’s Twitter handle, they will tweet a URL and a hashtag. The URL directs HAMMERTOSS to a webpage containing an image or images. The hashtag provides a number representing a location within the image file and characters for appending to an encryption key to decrypt instructions within the image. In the mockup of a HAMMERTOSS tweet in Figure 2, the hashtag was #101docto, indicating that the encrypted data begins at an offset of 101 bytes into the image file, and the characters docto should be added to the encryption key to decrypt the data. Using Twitter as an intermediary to deliver the second-stage CnC to HAMMERTOSS allows APT29 to dynamically direct the tool. STAGE 2: Tweeting a URL, Minimum File Size of an Image, and Part of an Encryption Key URL: In the case above, the tweet instructs HAMMERTOSS to download the content hosted at the specified URL, including any images on the page. In the example we will discuss later, the tweet included a URL on GitHub. bobby @1abBob52b TWEETS 1 Tweets Tweet & replies bobby @1abBob52b • July 29 Follow doctorhandbook.com #101docto Hashtag: The tweet also contains a hashtag with information to allow HAMMERTOSS to extract encrypted instructions from an image file. The hashtag indicates that the hidden data is offset 101 bytes into the image file and the characters to be used for decryption are docto. If APT29’s operator has registered that particular day’s handle, he will tweet a URL and hashtag. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 99 MD5: d3109c83e07dd5d7fe032dc80c581d08 (VirusTotal) SHA1: 42e6da9a08802b5ce5d1f754d4567665637b47bc Timing Behavior: Communicate on weekdays only after April 3, 2015 Active Twitter Handle: twitter[.]com/3c6Diallo7f0 (Figure 3 below) Tweeted URL, Hashtag: hxxp://www[.]doctorhandbook[.]com, #101docto Detection Ratio: 5/56 Metadata: In Figure 3 is a sample of the HAMMERTOSS tDiscoverer variant and a corresponding snapshot of a Twitter account page from one of its generated handles. At the time of publication, a publicly available HAMMERTOSS sample had only five generic detections in VirusTotal. The Twitter account was active and contained a link to a website. Figure 3: Twitter page for d3109c83e07dd5d7fe032dc80c581d08 2 “Miniduke still duking it out.” ESET Security. 20 May 2014. http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/ Balazs, Biro, Christian Istrate, and Mairus Tivaradar. A Closer Look at MiniDuke. BitDefender. 2013. http://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper_Final.pdf. James, Peter. Flashback Mac Malware Uses Twitter as Command and Control Center. Intego’s The Mac Security Blog. 5 March 2012. http://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center. Coogan, Peter. “Twittering Botnets.” Symantec Security Blog. 14 Aug 2009. http://www.symantec.com/connect/blogs/twittering-botnets. Kessler, Michelle. “Hackers harness Twitter to do their dirty work.” USA Today. 17 August 2008. http://content.usatoday.com/communities/technologylive/post/2009/08/68497133/1#.VbJVi4q9_Vs. HIDINGAMONG UNREGISTERED TWITTER ACCOUNTS H AMMERTOSS uses an algorithm to generate hundreds of Twitter handles annually for potential CnC. Many of these are unregistered, as APT29 chooses to register a particular day’s handle as needed and ahead of an anticipated HAMMERTOSS beacon. This small number of registered accounts allows the group to maintain a small footprint. Other tools use Twitter to relay instructions, including:2 • MiniDuke, a Windows-based backdoor that is a suspected Russian tool • the Sninfs botnet • Flashback, a Mac-based backdoor MiniDuke behaves similarly to HAMMERTOSS by not only using Twitter for CnC, but also by downloading image files containing encrypted, appended content. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 1010 Figure 4: The URL specified in the tweet (in this case, a GitHub page) contains an image with appended and encrypted data STAGE 3: Visiting GitHub to Download an Image H AMMERTOSS then uses the InternetExplorer. Application COM Object to visit the URL specified in a tweet. We have observed URLs lead to specific GitHub accounts or compromised websites. We will use Github for the next part in our example. Once HAMMERTOSS obtains the GitHub URL from its daily Twitter account, it visits the URL and downloads the contents of the page, including any image files. APT29’s operator registers a GitHub page and uploads an image. HAMMERTOSS uses the InternetExplorer. Application COM Object to visit the URL and obtain the image. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 1111 010111101101 111011011110 010111101 10 010111101 STAGE 4: APT29 Employs Basic Steganography We have observed only a few APT groups using steganography. HAMMERTOSS uses steganography by appending data to an image file after the image’s end of file marker. This technique would be readily detectable if someone was checking for it. However, the Figure 5: Encrypted data appended beyond the FF D9 JPEG End of File marker appended data is encrypted, so even if detected, the investigator would be unable to decrypt the data without key material from two sources: the malware binary and the current tweet. Indicative of APT29’s discipline, the group ensures that if network defenders discover the images, the defenders still require the malware sample, corresponding Twitter handle, and tweet with the additional key material to decrypt the tool’s instructions. All of the samples we have observed have used different encryption keys to decrypt the appended content. 2. Though the image looks normal, it contains appended and encrypted content. H AMMERTOSS downloads the contents of the website to Internet Explorer’s browser cache and searches the cache for any images at least as large as the offset specified in the tweet from Stage 2. While the image appears normal, it actually contains steganographic data. Steganography is the practice of concealing a message, image, or file within another message, image, or file. In this case, the image contains appended and encrypted data that HAMMERTOSS will decrypt and execute. The data may include commands or login credentials to upload a victim’s data to a cloud storage service. HAMMERTOSS locates the encrypted data at the offset specified in the tweet in Stage 2. It decrypts the data using a key comprised of hard-coded data from the malware binary appended with the characters from the tweet. 3. HAMMERTOSS decrypts the image using a hard-coded key appended with the characters obtained from the tweet in Stage 2. 1.HAMMERTOSS downloadstheimage fromthespecifiedURL, retrievestheimage fromInternetExplorer’s browsercache,and beginstheprocessof decryption. 1 2 3 End of File Marker APT29 ADDING STEGANOGRAPHY ASANOTHERLAYER OFOBFUSCATION HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 1212 STAGE 5: Executing Commands and Uploading Victim Data 010111101101111000101001100101 1110110111100010100110 01011110110111100010100110 010111101101111000101001100101111 0110111100010100110 Figure 6: Executing Commands and Removing Data APT29’s operator creates the cloud storage account and can obtain the victim’s data from the cloud storage service. 2. HAMMERTOSS is capable of uploading victim data to a cloud storage service. 1.HAMMERTOSSmayissue otherfollowoncommands: powershell -ExecutionPolicy bypass -WindowStyle hidden – encodedCommand... T he encrypted data in the image may include instructions to execute commands via PowerShell, execute a direct command or file, or save an executable to disk and execute it. In several cases, the commands directed HAMMERTOSS to upload information from victim networks to accounts on cloud storage services using login credentials received in Stage 4. In our GitHub example, the decrypted data instructed the backdoor to obtain a list of running tasks—reconnaissance on the victim network—and upload it to a specific account on a cloud storage service using the login credentials. APT29 can then easily obtain the extracted information from the cloud storage service at their convenience. 1 2 HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat GroupSPECIAL REPORT 1313 APT29: AN ADAPTIVE AND DISCIPLINED THREAT GROUP HAMMERTOSS illustrates APT29’s ability to adapt quickly during operations to avoid detection and removal. For example, if an organization blocks access to GitHub, APT29 could easily redirect HAMMERTOSS to download an image with encrypted instructions from another website. Similarly, if an organization starts monitoring Twitter activity on their network, APT29 could easily switch to using the Uploader variant of HAMMERTOSS, which does not use Twitter and communicates directly to a specified URL. If an organization identifies the handle generation algorithm and attempts to research old Twitter accounts, tweets, or secondary URLs, APT29 could easily delete previously used accounts or the locations where images were stored. While each technique in HAMMERTOSS is not new, APT29 has combined them into a single piece of malware. Individually, each technique offers some degree of obfuscation for the threat group’s activity. In combination, these techniques make it particularly hard to identify HAMMERTOSS or spot malicious network traffic; determine the nature and purpose of the binary; discern the malware’s CnC method and predict its CnC accounts; capture and decode second-stage CnC information; and pinpoint and decrypt the image files containing malware commands. This makes HAMMERTOSS a powerful backdoor at the disposal of one of the most capable threat groups we have observed. H AMMERTOSS undermines network defenders’ ability to identify Twitter accounts used for CnC, discern malicious network traffic from legitimate activity, and locate the malicious payloads downloaded by the malware. • Identifying daily potential Twitter accounts requires network defenders to have access to the associated HAMMERTOSS binary and to reverse engineer it to identify the basename and the algorithm used to create the potential accounts. Monitoring malicious tweets from these accounts is difficult as each sample is capable of generating hundreds of potential Twitter accounts annually, and APT29 may only register a small number of those accounts for CnC. • Employing legitimate web services that are widely allowed in organizations’ networks— some of which use Secure Sockets Layer connections that ensure the communications are encrypted—makes it harder for network defenders to discern between malicious and legitimate traffic. • Using steganography and varying the image size makes the target payload—the image containing the appended, encoded commands—less predictable. Even if the network defenders are able to predict or identify the target payloads, they need the associated HAMMERTOSS sample and relevant tweet containing the related encryption key information to decrypt the contents. CONCLUSION Difficulty Identifying Accounts, Discerning Legitimate and Malicious Traffic, and Locating the Payload © 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. SP.APT29.EN-US.072015 FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com To download this or other FireEye Threat Intelligence reports, visit: https://www.fireeye.com/reports.html