A Russian hacker group utilized a process called steganography to hide messages within photos on Github. Meanwhile, infected machines were given specific instructions to check different Twitter accounts programatically, every day and if a tweet was displayed – the malware on the infected machine would be activated.
FireEye was the company that discovered the malware and the steganography process the hacking group was utilizing. FireEye has called the malware tool, Hammertoss and says that hackers are becoming more and more sophisticated with their ways to stay hidden. All of the commands that instructed Hammertoss what to do was hidden in plain site, within images.
So how does one hide data within images using steganography? Well, steganography dates back to the 1400’s and is actually a Greek word for stegnos or meaning to “cover or protected”. So what the Russian hackers did involved changing a 24-bit image’s RGB value of a single pixel by one decimal. Every 24-bit image has three numbers that make up red, green and blue (RGB) and changing one single pixel of an image by one decimal in either red, green, or blue is completely impossible to see by the human eye. While using software or tools, you could easily program a way to analyze an image and the changes and you could very easily begin to place an algorithm around it. By analyzing multiple images, it could be very easy to convert numbers into Ascii code which then can define letter and eventually build up to a full command or message.
What the hackers had done was multiple parts which all together may have been easy to identify but seeing how there was different parts of the process, it makes it very difficult to block or detect by automated means like Antivirus or IDS.
HAMMERTOSS works by:
- Retrieving commands via legitimate web services, such as Twitter and GitHub, or using compromised web servers for command and control (CnC),
- Visiting different Twitter handles daily and automatically,
- Using timed starts—communicating only after a specific date or only during the victim’s workweek,
- Obtaining commands via images containing hidden and encrypted data, and
- Extracting information from a compromised network and uploading files to cloud storage services.
“APT29 is among the most capable groups that we track. While other APT groups try to cover their tracks to thwart investigators, APT29 stands out. They show discipline and consistency in reducing or eliminating forensic evidence, as well as adaptability in monitoring and circumventing network defenders’ remediation efforts. In our report, we describe how HAMMERTOSS functions and how it demonstrates APT29’s capabilities.” FireEye had said today.