Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150911-277-Fir
eEye
-HammerToss-Stealth Tactics
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 2 11 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
Stage 3 – The HammerToss implant browses to the URL indicated in the daily Twitter
handle using InternetExplorer.Application COM Object and downloads the image to its
cache.
Stage 4 – Browse the download cache looking for an image at least the size of the offset
provided in the Twitter handle. It then decrypts the encrypted data using the string provided
in the Twitter handle and extracts it.
Stage 5 – Execute the commands and upload any collected data from the victim. Many of the
HammerToss commands observed have been PowerShell commands. Any collected data is
uploaded to a cloud-storage server where it is later retrieved by the operators.
(S//NF) While HammerToss is an interesting malware sample, the interesting aspect is its
architecture and its use of Twitter, compromised websites, and cloud-storage, there is nothing we
can make a PoC recommendation on. We do recommend this architecture be noted for potential
full development of a capability beyond the scope of a PoC.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.
3.0 (U) Identification of Affected Applications
(U) Windows.
4.0 (U) Related Techniques
(S//NF) Social Media-based C2 infrastructure.
5.0 (U) Configurable Parameters
(U) Varied.
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods or attack vectors were mentioned in this report.
7.0 (U) Caveats
(S//NF) The Twitter handler generation algorithm would need to be developed.
8.0 (U) Risks
(S//NF) Not applicable as no PoCs are recommended.
9.0 (U) Recommendations
(S//NF) No PoCs are recommended from this report.