Presentation is loading. Please wait.

Presentation is loading. Please wait.

APT29 HAMMERTOSS Jayakrishnan M.

Published byNoah Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "APT29 HAMMERTOSS Jayakrishnan M."— Presentation transcript:

1 APT29 HAMMERTOSS Jayakrishnan M

2 Contents What is APT? Who is APT29? Introduction to Hammertoss
5 Stages of Hammertoss Detection and Prevention Conclusion

3 WHAT is APT? Advanced: Persistent: Threat:
Combine multiple attack methods. Develop or buy zero-day exploits. High Sophistication. Persistent: Avoids detection. Harvest information over long time. “Low and Slow” approach. Threat: Skilled, motivated, organized and well funded criminal organizations. Not malware/exploit/attack alone.

4 Who USES APT? Targets Nations. Organized Crime Groups.
Hacktivist Groups. Targets Business Organizations. Political Targets. Nations.

5 APT29 – Russian Advanced Persistent Threat Group.
Operating from late 2014. Suspected to be sponsored by Russian Government. Cease operations on Russian holidays. Workhours aligned to UTC +3 time zone. Disciplined and Consistent. Uses Anti Forensic techniques and monitor victim remediation efforts.

6 Attacked US Department of Defense Email System in 2014.
Was able to read President Barack Obama’s unclassified s. Led to a partial shut down of White House systems. Used DDoS. Gathered massive amount of information. Distributed to thousands of Internet accounts within minutes.

7 HAMMERTOSS Stealthy Malware. Discovered by FireEye in 2015.
Used as backdoor by attackers who have gained access to network. Communication – low, slow and obfuscated. Very difficult to detect. Uses twitter, github and cloud storage.

8 VARIANTS 2 variants – both written in C#. UPLOADER tDiscoverer

9 UPLOADER Hard Coded server for its CnC. Goes to specific page.
Obtain image with specific size.

10 tDISCOVERER More obfuscation.
Goes to twitter account to obtain CnC URL. Acquire target image from URL.

11 5 Stages of Hammertoss 1 2 Creates twitter handle
URL to image in github 5 Execute commands 3 4 Download image containing payload Use steganography to hide instructions

12 STAGE 1: Communication begins with twitter
Hammertoss (HT) contains algorithm to generate Twitter handles. Twitter handle: User ID in Twitter. HT visits twitter URL. A. APT 29 operator registers handle. Tweet instructions. HT gets instruction from tweet. B. Operator does not register handle. HT waits till next day. Begin process again.

13 STAGE 1: Communication begins with twitter
ALGORITHM Uses a base name. eg: “Bob”. Appends and prepends CRC32 values based on current date. Eg: 1abBob52b

14 STAGE 1: Communication begins with twitter
APT29 knows algorithm to generate handles. Chooses to register a handle. Post obfuscated instruction to handle. APT 29 restricts: Checking twitter handles on weekdays. Specify start date.

15 STAGE 2:Tweeting URL, FILE SIZE, PART OF KEY
Once registered, tweet a URL and a hash tag. Eg. doctorhandbook.com #101docto 101 – Location within the image file. Instruction starts from 101 byte. doco – Part of decryption key. URL: Download content hosted at specified URL.

16

17 STAGE 3: download image from GitHub
APT29’s operator registers github page and upload images. Use IE application COM object to visit and download image.

18

19 STAGE 4: Using Steganography
APT29 uses basic steganography. Steganography – Practice of concealing message in images. Download image from specified URL. Retrieve’s image from browser cache. Searches for any image having size at least that of offset specified in stage 2. Image looks normal- encrypted with commands. Decryption key -> hard coded key + characters obtained from tweet in stage 2. Data includes commands or login credentials.

20 STAGE 5: Executing commands and uploading victim data
Creates cloud storage account. Obtains victim data from cloud storage service.

21 Detection and prevention - Challenges
Difficulty in identifying Twitter Accounts. Requires access to HT binary. Reverse engineer to identify base name and algorithm. Generates 100’s of accounts but registers only few. Discovering legitimate and malicious traffic. Usage of SSL connection for encrypted communication. Locating payload. Usage of steganography and varying image size. Need of decryption key.

22 Detection and prevention
No current ways to prevent infection. Ensure OS and all third party applications are updated. Disable any browser plugin not needed. Detect malicious HT processes running on network through endpoint monitoring. Investigating on data exfiltration.

23 CONCLUSION HT shows APT29’s ability to adapt quickly – avoids detection and removal. Very sophisticated attack. Not reported any use of ransomware as payload for HT. Takedown actions likely to be ineffective since state sponsored. Behavioral based analysis also fails because of large number of false positives.

24 Thank YOU

Download ppt "APT29 HAMMERTOSS Jayakrishnan M."

Similar presentations

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) 04.29.2008 APAC RTL Clean Tool v5.0 Solution.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google