HAMMERTOSS
Posted: August 11, 2015
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 30 |
| First Seen: | August 11, 2015 |
|---|---|
| Last Seen: | November 5, 2021 |
| OS(es) Affected: | Windows |
HAMMERTOSS is a backdoor Trojan that uses social media services for obfuscating its attacks, which could allow HAMMERTOSS to bypass a variety of PC security solutions. Although HAMMERTOSS currently is most likely being utilized in campaigns against specific, corporate networks, its backdoor attacks also may affect personal-use computers and lead to the compromise of information. Extensive and redundant anti-malware scans should follow after any estimated HAMMERTOSS infection for deleting HAMMERTOSS, as well as related threats that may install themselves with HAMMERTOSS.
The Hammer Tweeted Straight Through Your Security
Although the backdoor Trojan known as HAMMERTOSS has a history throughout 2015, recent details of its campaign provided by FireEye have shown that this threat offers more to third parties than most Trojans. In a move that sidesteps standard security features on infected machines while also protecting the C&C infrastructure simultaneously, HAMMERTOSS uses interpreted images and text messages to coordinate its functions and attacks. Currently, HAMMERTOSS uses GitHub and Twitter for this purpose, although there's no hard barrier preventing HAMMERTOSS from switching to Facebook or other sites.
HAMMERTOSS scans specified Twitter accounts for relevant data, which include Web links and hashtags. The URLs contain links to GitHub images that use steganography to hide threatening data that requires interpretation by the further information (such as a decryption key) included in the hashtags. HAMMERTOSS also semi-randomizes which accounts are accessed and at what times. The overall effect is that HAMMERTOSS's C&C infrastructure is difficult to distinguish from standard tweeting activities.
HAMMERTOSS then uses this data to determine many of its attack functions. Malware experts can verify the following attacks, so far:
- HAMMERTOSS may use PowerShell to launch threatening tasks.
- HAMMERTOSS also may execute direct commands from the steganography-based data without utilizing the Windows PowerShell feature.
- HAMMERTOSS may save files to your hard drive, including potential threats.
- HAMMERTOSS may automatically launch files on your PC, including previously downloaded threats or default Windows components.
- HAMMERTOSS also may upload data from your PC, such as account credentials. Like its main communications infrastructure, this function also exploits a benign Internet service: in this case, a cloud storage server.
Tossing HAMMERTOSS a Goodbye Message
Steganography isn't a new tactic for threats, and you also may see it in older threats than HAMMERTOSS like Stegoloader, Shady Rat and the Zberp Trojan. However, HAMMERTOSS's development, AP29, has gone to extreme lengths to exploit the strengths of this technique for the concealment of the Trojan's threatening activities. Ironically, the SSL protection used by many corporate and government networks for such communications could also protect HAMMERTOSS alongside with any benign data.
Malware researchers sometimes see instances of HAMMERTOSS being installed with other threats. These additional threats may include other backdoor Trojans with redundant, backup features for maintaining the degree of security compromise on the system. PC users concerned about this threat should reboot their computers in Safe Mode and use a trusted anti-malware tool to scan the system until it's deleted HAMMERTOSS and any related threats. As an infiltration and stealth-based Trojan, HAMMERTOSS does not generate tweets of its own or create any obvious, visible symptoms accompanying its attacks.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.