HAMMERTOSS: New Russian Malware
FireEye has a detailed report of a sophisticated piece of Russian malware: HAMMERTOSS. It uses some clever techniques to hide:
The Hammertoss backdoor malware looks for a different Twitter handle each day—automatically prompted by a list generated by the tool—to get its instructions. If the handle it’s looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.
That’s where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim’s network, typically then lead the malware to send that stolen information to a cloud-based storage service.
ick • July 31, 2015 1:14 PM
Makes me think about the asymmetry in the effort required (by attackers to hide/use their malware, vs. defenders trying to detect/block/reverse engineer it). The attackers would obviously like to tilt that as much in their favor as they can, thus they design it to have hundreds of potential C&C channels per day, and if the defenders miss even one of them, they can still control their malware. Defenders have to monitor/block all of them, a much higher level of effort. Its a lot like what Blizzard did with the Warden anti-cheat system for World of Warcraft… they created a situation where cheat developers would have to capture and reverse-engineer hundreds of different Warden code fragments each time Blizzard updated them, in order to safely use their cheats. So 1 developer spends a few hours a week changing the anticheat code, and creates dozens or hundreds of hours of work for the cheaters each time. If APT malware authors can pull the same trick, they can overwhelm the resources of the defenders, and/or create enough noise for their attack to hide in. Defenders will have to get increasingly subtle and clever to overcome these kind of asymmetric tactics. For example, they will have to find subversions that unmask all of the C&C channels simultaneously–reliable ways of distinguishing them from legit user channels.