Software: HAMMERTOSS, HammerDuke, NetDuke

From enterprise
Jump to: navigation, search
HAMMERTOSS, HammerDuke, NetDuke
Software
ID S0037
Aliases HAMMERTOSS, HammerDuke, NetDuke
Type Malware

HAMMERTOSS is a backdoor that was used by APT29 in 2015.12

Techniques Used

  • Web Service - The "tDiscoverer" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.1
  • Data Obfuscation - HAMMERTOSS is controlled via commands that are appended to image files.1
  • Custom Cryptographic Protocol - Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.1

Groups

The following groups use this software: