Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150911-277-Fir
eEye
-HammerToss-Stealth Tactics
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 11 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report summarizes HammerToss, a suspected Russian State-sponsored malware
sample discovered in early 2015 and suspected as being operational since late 2014.
HammerToss is an interesting piece of malware because of its architecture, which leverages
Twitter accounts, GitHub or compromised websites, basic steganography, and Cloud-storage to
orchestrate command and control (C2) functions of the attack.
(S//NF) HammerToss is written in C# and uses a custom algorithm to name, create and register
Twitter accounts on a daily basis. Each day, the implant will check for that day’s Twitter
account. If that day’s Twitter handle has not been created and registered by the attacker, the
implant will check the next day for the next Twitter handle. When the attacker creates and
registers the expected Twitter account (as calculated by the algorithm) the attacker posts a URL
and a hashtag. The URL directs the malware to a Github website that contains an image that is
downloaded and decrypted using a value provided in the hashtag. The image located at the URL
provided contains commands hidden within it using basic steganography (appended to the end of
the file). Figure 1 details the HammerToss components in Twitter.
Figure 1. HammerToss Components in Twitter
(S//NF) The HammerToss malware can be described by its five architectural stages:
Stage 1 HammerToss contains an algorithm that generates Twitter handles telling the
malware to visit a specific Twitter handle on a specific day. HammerToss visits the specified
Twitter handle to retrieve instructions for the next stage.
Stage 2 The Twitter handle directed to in Stage 1 will contain a URL and a hashtag.
Content located at the URL provided is to be downloaded. An image stored at the URL
contains steganography hidden and encrypted commands. The hashtag provides the offset at
which the commands are stored in the image and a string to be used to decrypt the data.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh