Hammertoss Malware Mimics Normal Computer Usage to Avoid Detection

One of the most common ways that modern antivirus software uses to detect malicious software is the way in which that malware behaves on the PC. In other words, the way malware acts once installed is usually a sure sign that a malware infection has occurred.  Until now… A new type of malware was recently discovered by IT security firm FireEye that actually mimics the behavior of a normal computer user while it’s compromising files on the infected PC. This new malware variant, known as Hammertoss, is so advanced that it can even time itself to work within the victim’s work schedule - making it nearly impossible to detect using the standard detection algorithms that antivirus software has relied on for years to detect malicious activity.

Even if your security software is updated regularly with the latest virus signatures, FireEye reports that Hammertoss is unlikely to be detected or removed because of its innovative anti-detection methods and the overall sophistication of the malware. FireEye also has reason to believe that Hammertoss was created by a hacking group that is actively sponsored by the Russian government. Jordan Berry, a threat researcher at FireEye, was quoted as saying “We really think Hammertoss exemplifies the way [state-sponsored] actors are moving in a way that more easily evades and avoids traditional defenses.” Due to confidentiality agreements between FireEye and its customers, the security firm has not released the names or ownership of any of the computer systems affected by Hammertoss, but the company did say that the malware is capable of uploading sensitive files onto a cloud server that can be remotely accessed by the hackers - all while pretending to be an ‘innocent’ user on the system going about daily office tasks.

Once Hammertoss has been installed on a PC, it starts a series of “everyday” tasks that are designed not to set off any warning flags within standard security software suites.

First, Hammertoss looks at Twitter and using a special algorithm, searches for messages from specific Twitter accounts. These Twitter accounts actually provide Hammertoss with instructions for further malicious activities on the infected PC. After receiving instructions from these seemingly harmless tweets, Hammertoss accesses GitHub, where it retrieves an image file. Although this image file appears normal, the image file actually contains hidden code that provides additional information to Hammertoss directly from the hackers behind the campaign. Finally, using the instructions gathered from GitHub and Twitter, Hammertoss begins accessing files on the infected computer and uploading them to a cloud server where the stolen information can be retrieved by the hackers.

hammertoss malware using twitter and github

While this malware seems extremely devious (it is), FireEye says that the hackers behind this campaign are only targeting specific, high-value targets. This means that Hammertoss is unlikely to become a household name because the hackers are only looking to infect the sensitive computer systems within the US government and other high-value targets (including military contractors, educational institutions, and industrial systems). This is further proof that this attack is sponsored by the Russian government rather than cybercriminals seeking to profit from Hammertoss. It’s obvious that this malware campaign is being used sparingly to infect high-value targets in an effort to conceal the advanced features that make this malware so dangerous. If the hackers behind this attack were to randomly infect computers around the world, it would only be a matter of time before security software manufacturers figured out a way to detect Hammertoss – effectively making the malware a menial threat.

That said, the tactics used by Hammertoss could easily be modified and used for a large malware campaign that does target PCs at the individual level.

Hammertoss, or a derivative with similar behaviors, could easily bypass detection on a residential PC system and using the instructions provided via social media and/or image files embedded with malicious instructions, seek out sensitive personal and financial information that could be used by hackers for identity theft or financial gains. The best way to think about Hammertoss and what it means for the evolution of modern malware is to compare it to a game of chess. While most of the malware discussed on this blog are akin to pawns that can get work done for hackers before being eradicated by security software, Hammertoss acts more like an invisible queen; a dangerous piece that can put a computer into “checkmate” while security software is distracted by removing the pawns.

hammertoss malware

Despite Hammertoss’ current use as a government-funded tool designed to infiltrate the high-value computer networks of targets deemed interesting by the Russian government, the same principles could easily be applied to other dangerous malware variants such as Citadel and Zeus. Only time will tell if this new detection avoidance strategy will become more widespread in the future.

Due to the unique way in which Hammertoss operates, there is currently no way to prevent infection. As always, ensure your OS and all third-party applications are regularly updated with the latest security patches.

Also, disable any Web browser plugins that are not needed for daily activities. This includes Adobe Flash Player, Java, and Microsoft Silverlight. These plugins are a favorite way for hackers to infiltrate a system using a drive-by download attacks whereby Hammertoss can be installed when a PC visits a compromised website serving malicious files behind the scenes. Perhaps the only hope for eventually detecting Hammertoss is more widespread use of the malware by hackers. As more PCs become infected, it will become easier for security companies to learn ways to detect and block this malware for wreaking havoc on computers. Until that day, however, it seems that security researchers may have finally met their nemesis in a malware that takes great care to act just as a regular computer user would. Welcome to the new age of malware, a time when even the best security software in the world cannot stop malware from doing its nefarious bidding.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal