S0037 HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. 1 2
| Item | Value |
|---|---|
| ID | S0037 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 09 February 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | The “Uploader” variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | HAMMERTOSS is known to use PowerShell.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | HAMMERTOSS is controlled via commands that are appended to image files.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day’s tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day’s tweet, and the image file containing the command.1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.003 | One-Way Communication | The “tDiscoverer” variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 23 |
References
-
FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. ↩↩↩↩↩↩↩↩
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩