Social networking sites have already seen their fair share of malware exploits and the most recently discovered ‘Hammertoss’, could potentially be the sneakiest yet.
In the hackers aim to make their software undiscoverable from both users and anti-malware software, Hammertoss mimics the users behaviour and sends all traffic as genuine posts on Twitter, bypassing the anti-malware protection to “relay commands and extract data from compromised networks”. The discovery was made by security firm FireEye and is believed to be from a Russian hacker group which FireEye is calling APT 29.
Once the software is on the target’s computer it checks into Twitter and searches for specific Twitter users using an algorithm, where it will receive its instructions. Hammertoss can receive orders through images placed online which contain hidden, encrypted data waiting to be unpacked and executed. These instructions are sent over as regular twitter posts, looking ordinary to the eye. Once received, the software loads the referenced image (again looking perfectly normal but actually containing further instructions within its code). With all this in place, the software then starts to transmit data from the target computer onto a newly setup cloud service which APT29 can retrieve, but leaves no trace of the group’s actions.
What makes Hammertoss unique is it reliance on trusted services such as Twitter and document cloud services which are usually okayed by anti-malware tools. FireEye suspects the tool is being used sparingly to remain elusive and currently only targets a small number or high-value targets. The suspicion is that other cybercriminals will likely copycat this method for their own uses.
Whether or not this methodology is recreated elsewhere, the demand on organisations to be vigilant in monitoring and defending their systems is obvious whatever systems and platforms are utilised. Good practice management is to have updated policies on a) who can be an administrator / content editor on any corporate social media platform b) to review content regularly to ensure what is posted is correct and appropriate and c) to utilise the most robust software available to prevent pernicious zero day vulnerability. However, the cunningness and shadowy nature of this form of cyber threat is clearly going to be very difficult to counter.