It generates Twitter accounts which tweet a web address and hashtag giving the location and size of an image.
Hidden instructions in the photo, which is stored on Github, make it possible to take somebody’s data from a machine.
On several occasions, the commands, encrypted by using a technique called steganography, have instructed Hammertoss to upload information from a victim’s network to accounts on cloud storage services.
What is steganography?
A technique involving making tiny changes to the values used to define the colour of a pixel
In a 24-bit image, each pixel has its colour defined by three numbers – one for each of red, green and blue
A tiny change to each pixel will alter its colour but not so much that humans could spot it. However with the right software, or a reference image, the changes would stand out
The changes can be built up to number (Ascii) codes that define letters, and slowly build up a message
Because the attack contains several different parts, it makes it much harder to avoid detection or be blocked by anti-virus software.
FireEye has called the group APT29, and suspects it is Russian because of its targets and the data which had been taken, as well as the hours during which it operates and the fact it appears to stop on Russian holidays.
The firm’s threat intelligence and strategic analysis manager, Jen Weedon, said it was hard to fight back against the threat.
- Advertisement -
“Hammertoss really challenges network defenders’ ability to identify and differentiate the malware’s command and control communications from legitimate traffic,” she told the BBC.
“In addition, there’s no attacker infrastructure to block so to find this malware you’d need a combination of people, technology and the right intelligence to hunt for, uncover, and neutralise such a sophisticated tool.”
Alan Woodward – an advisor to the EU’s law enforcement agency Europol – told the BBC this type of hack had been seen before.
“The malware itself is not attached to the images but it is quite possible for sets of instructions for malware that has arrived on machines by another route,” he added.
“The malware arrives in two parts, neither of which on their own would necessarily trigger an alert in the security systems. But when both parts combine on the target machine, they are activated and know what to look for and where to send it.”
Prof Woodward said that hackers use this kind of approach as it is easier to hide their identity.
“If the whole code for a piece of malware were present it might be possible to identify where the command and control servers are,” he said.
“But if you could place that data somewhere other than the actual piece of malware it makes any analysis of who the hackers are that bit more difficult.”