Extra sneaky Hammertoss malware acts just like you on your computer

Security company FireEye says a Russia-sponsored group uses malware that mimics normal computer use while stealing sensitive files.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Hammertoss is malware that acts like normal computer users while stealing sensitive files. Getty Images/Ikon Images

Malware -- the destructive software that sneaks onto your computer and helps hackers breach important systems -- usually has a tell. While it's running on your computer, it doesn't act like you do, and that's how security systems often detect it.

Until now. A new type of malware found by security company FireEye mimics normal computer user behavior the entire time it's compromising files on a victim's machine. It can even time itself to the victim's work schedule. That renders all those efforts to look for strange behavior useless.

While antivirus software and other malware detection programs might clean up other bad files from our computers, this one's likely to stay silently at work. The malware is called Hammertoss, and FireEye believes it is being used by a hacking group sponsored by the Russian government.

In a world of seemingly relentless hacks that have leaked millions of medical records, credit card numbers and Social Security numbers, this software shows exactly what we're up against. Hammertoss is essentially a first-class spy, and it's working for a group that FireEye calls APT-29, the 29th state-sponsored group on FireEye's watch list.

The malware isn't performing a bunch of new tricks that FireEye's researchers haven't seen before, but the company's experts say they haven't run across this combination of tricks or level of sophistication before.

"We really think Hammertoss exemplifies the way [state-sponsored] actors are moving in a way that more easily evades and avoids traditional defenses," said Jordan Berry, a threat researcher at FireEye.

FireEye doesn't say who the malware has affected because it has confidentiality agreements with its customers. But the company says the malware can upload files from sensitive computer systems onto a cloud server that hackers can access, all while pretending it's going about a normal day at the office.

Secret instructions

Once the software takes root on a computer, it starts a series of everyday tasks. First, it starts looking at Twitter. Using an algorithm, it looks for messages from specific Twitter handles, where it gets instructions for its next steps.

After getting instructions from seemingly banal tweets, the software then looks at Github to retrieve an image. The image looks normal, but within the file's code is extra information provided by hackers, which gives the software more instructions.

Finally, using the information from the image file, the Hammertoss starts offloading information from the computer onto a cloud server, where hackers can pick it up.

While it's a powerful tool, FireEye researchers said the Russian hacking group they suspect of using Hammertoss is only targeting a small number of high-value of targets.

"When they really need to avoid detection, they pull out the big guns," Berry said.

That doesn't necessarily make Hammertoss less lethal, though. In fact, it's a sound strategy for hackers. While more obvious malware files might get some good work done for hackers, like a crowd of pawns, they'll often get swept off the chessboard by security software. But Hammertoss is like an invisible queen, silently checkmating important computers.

"They use it sparingly so that it remains effective," Berry said.

But where state-sponsored hackers go, cybercriminals are sure to follow, Berry noted, so we're apt to see Hammertoss and other well-disguised malware affecting more computers, and as a result, more people. That's scary, but will eventually make us better at finding it.

"As it becomes better understood and people are able to assess their own security controls, they can devise ways to better prevent this on their own networks."