Hammertoss malware uses Twitter, GitHub to assemble itself

2014-06-11

Security firm FireEye has uncovered a piece of malware that may be much harder than usual to detect. It’s called Hammertoss and according to the company, it’s likely being used by a state-sponsored hacking group with Russian ties.

As a general rule of thumb, security programs look for unusual behavior – a piece of malware or a virus in action, for example – as a first line of defense. If something is “off,” it’ll throw up a red flag and the security program will dig deeper to find the issue.

Hammertoss, however, is designed to go undetected because it mimics a system’s user – you.

Upon successful infection, Hammertoss turns to Twitter, scanning for messages from specific users to tell it what to do next. From there, it heads over to GitHub where it grabs an image laced with code that provides its next step. Once it has essentially assembled itself, it begins uploading data from the target computer to a cloud server where the masterminds can access it.

FireEye says they haven’t seen this level of sophistication before.

As you might expect, Hammertoss has thus far only targeted a few very high-value targets. Hackers with the skills needed to create it wouldn’t bother swiping photos or credit card data from random citizens; it’s just too complicated and likely too expensive to use for that.

Or as FireEye threat researcher Jordan Berry notes, they use it sparingly so that it remains effective.

As word about it spreads, however, cybercriminals may well pick it up.

About The Author

Leave a Reply

Your email address will not be published. Required fields are marked *