APT29, also known as Cozy Bear or CozyDuke, are a Russian hacker group believed to be associated with Russian intelligence. Cybersecurity firm CrowdStrike has suggested that it may be associated with the Russian FSB.
They are suspected of being behind the ‘HAMMERTOSS’ remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data.
In August 2015 they were linked to an spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.
In June 2016, they were implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks.
Researchers at FireEye, Inc. have discovered and investigated a stealthy malware backdoor which they named HAMMERTOSS and attributed to Russian group APT29.
According to their research paper, the group uses a combination of techniques which mimic real user behavior to hide the malware’s actions as social media interactions.
Once on the user’s system, the HAMMERTOSS malware will go on to Twitter, looking at the activity of a different Twitter user each day, searching for specific tweets from which it extracts various types of data.
The malware is so well designed that it rarely visits the same accounts, it does so at random times, or only on weekdays.
Inside the tweets it scans for, HAMMERTOSS will extract two things: a URL and a hashtag.
HAMMERTOSS uses Twitter accounts for CnC instructions
The URL points to an image, usually hosted on GitHub, which is altered using steganography to contain malicious code instructions.
The image is verified using the data extracted from the hashtag, and then its secret data is decrypted using a key, also obtained from the same hashtag.
These hidden instructions can vary from PowerShell commands that execute malicious code on the current operating system, to upload procedures that send compromised data to a username and password-protected cloud drive.
With a lot of effort put into hiding their activities as regular social media “noise,” APT29 have created a malware backdoor that’s hard to detect and distinguish from regular user interactions.
Additionally, “employing legitimate web services that are widely allowed in organizations’ networks – some of which use Secure Sockets Layer connections that ensure the communications are encrypted – makes it harder for network defenders to discern between malicious and legitimate traffic,” say FrieEye researchers.
And if by any chance organizations start monitoring and blocking Twitter and GitHub traffic, which is highly unlikely, APT29 will always have the option of switching to using other social media networks like Facebook or Imgur, having the upper hand at all times.