The Russian threat groups that we monitor frequently cover their tracks to evade detection. One of these groups, APT29, has been particularly active throughout 2015, redoubling its efforts with new downloaders, payloads, and targets. Several of our colleagues in the security industry[1] have published research exposing some of APT29’s recent activities.
In early 2015, we came across a backdoor, HAMMERTOSS, which is similarly designed to make it difficult for security professionals to detect and characterize the extent of APT29’s activity. The developers of HAMMERTOSS try to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. HAMMERTOSS does this by using several commonly visited websites—Twitter, GitHub, and cloud storage services—to relay commands and extract data from victims.
HAMMERTOSS works by:
APT29 is among the most capable groups that we track. While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts. In our report, we describe how HAMMERTOSS functions and how it demonstrates APT29’s capabilities.
FireEye products/services identify this activity as HAMMERTOSS within the user interfaces.
The complete report can be downloaded here.
FireEye is hosting a HAMMERTOSS webinar on August 25 with threat intelligence analysts, who will discuss the five stages of HAMMERTOSS, who APT29 is, and why this malware is so difficult to detect.