APT29 HAMMERTOSS
JAYAKRISHNAN M
CONTENTS
• What is APT?• Who is APT29?• Introduction to Hammertoss• 5 Stages of Hammertoss• Detection and Prevention• Conclusion
WHAT IS APT?• Advanced:
Combine multiple attack methods.
Develop or buy zero-day exploits.
High Sophistication.
• Persistent: Avoids detection.
Harvest information over long time.
“Low and Slow” approach.
• Threat: Skilled, motivated, organized and well funded criminal organizations.
Not malware/exploit/attack alone.
WHO USES APT?
• Nations.
• Organized Crime Groups.
• Hacktivist Groups.
TARGETS
• Business Organizations.
• Political Targets.
• Nations.
• APT29 – Russian Advanced Persistent Threat Group.
• Operating from late 2014.
• Suspected to be sponsored by Russian Government.
• Cease operations on Russian holidays.
• Workhours aligned to UTC +3 time zone.
• Disciplined and Consistent.
• Uses Anti Forensic techniques and monitor victim remediation efforts.
• Attacked US Department of Defense Email System in 2014.
• Was able to read President Barack Obama’s unclassified emails.
• Led to a partial shut down of White House email systems.
• Used DDoS.
• Gathered massive amount of information.
• Distributed to thousands of Internet accounts within minutes.
HAMMERTOSS
• Stealthy Malware.• Discovered by FireEye in 2015.• Used as backdoor by attackers who have gained access to network.• Communication – low, slow and obfuscated.• Very difficult to detect.• Uses twitter, github and cloud storage.
VARIANTS
2 variants – both written in C#.• UPLOADER• tDiscoverer
UPLOADER
• Hard Coded server for its CnC.• Goes to specific page.• Obtain image with specific size.
TDISCOVERER
• More obfuscation.• Goes to twitter account to obtain CnC URL.• Acquire target image from URL.
5 STAGES OF HAMMERTOSS
1 2
3
4
5
Use steganography to hide instructions
Creates twitter handle
URL to image in github
Download image containing payload
Execute commands
STAGE 1: COMMUNICATION BEGINS WITH TWITTER
1. Hammertoss (HT) contains algorithm to generate Twitter handles.• Twitter handle: User ID in Twitter.
2. HT visits twitter URL.
3. A. APT 29 operator registers handle.• Tweet instructions.
• HT gets instruction from tweet.
B. Operator does not register handle.• HT waits till next day.
• Begin process again.
• ALGORITHMUses a base name. eg: “Bob”.Appends and prepends CRC32 values based on current date.Eg: 1abBob52b
STAGE 1: COMMUNICATION BEGINS WITH TWITTER
• APT29 knows algorithm to generate handles.
• Chooses to register a handle.
• Post obfuscated instruction to handle.
• APT 29 restricts: Checking twitter handles on weekdays.
Specify start date.
STAGE 1: COMMUNICATION BEGINS WITH TWITTER
STAGE 2:TWEETING URL, FILE SIZE, PART OF KEY
• Once registered, tweet a URL and a hash tag.
• Eg. doctorhandbook.com #101docto
URL: Download content hosted at specified URL.
101 – Location within the image file. Instruction starts from 101 byte.doco – Part of decryption key.
STAGE 3: DOWNLOAD IMAGE FROM GITHUB
• APT29’s operator registers github page and upload images.
• Use IE application COM object to visit and download image.
STAGE 4: USING STEGANOGRAPHY
• APT29 uses basic steganography.
• Steganography – Practice of concealing message in images.
1. Download image from specified URL.• Retrieve’s image from browser cache.
• Searches for any image having size at least that of offset specified in stage 2.
2. Image looks normal- encrypted with commands.
3. Decryption key -> hard coded key + characters obtained from tweet in stage 2.
4. Data includes commands or login credentials.
STAGE 5: EXECUTING COMMANDS AND UPLOADING VICTIM DATA
• Creates cloud storage account.
• Obtains victim data from cloud storage service.
DETECTION AND PREVENTION - CHALLENGES• Difficulty in identifying Twitter Accounts.
Requires access to HT binary.
Reverse engineer to identify base name and algorithm.
Generates 100’s of accounts but registers only few.
• Discovering legitimate and malicious traffic. Usage of SSL connection for encrypted communication.
• Locating payload. Usage of steganography and varying image size.
Need of decryption key.
DETECTION AND PREVENTION
• No current ways to prevent infection.
• Ensure OS and all third party applications are updated.
• Disable any browser plugin not needed.
• Detect malicious HT processes running on network through endpoint monitoring.
• Investigating on data exfiltration.
CONCLUSION
• HT shows APT29’s ability to adapt quickly – avoids detection and removal.
• Very sophisticated attack.
• Not reported any use of ransomware as payload for HT.
• Takedown actions likely to be ineffective since state sponsored.
• Behavioral based analysis also fails because of large number of false positives.
THANK YOU