HAMMERTOSS
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 13 |
| First Seen: | August 11, 2015 |
| Last Seen: | November 5, 2021 |
| OS(es) Affected: | Windows |
HAMMERTOSS is a threat originating in Russia that is extremely effective in avoiding detection and spreading quickly. HAMMERTOSS is mainly used in attacks against corporate systems, taking advantage of network activity from sources such as GitHub and Twitter to remain undetected for much longer periods of time than usual. There is suspicion that HAMMERTOSS has been involved in attacks against high profile targets. Unlike threats designed against individuals, HAMMERTOSS and its variants are much more sophisticated and are designed to cause high-level data breaches against industrial and commercial targets.
Table of Contents
HAMMERTOSS may Use Several Tactics to Avoid Detection
One of the most important things for threat developers is creating threats that can bypass detection. HAMMERTOSS uses existing network traffic to prevent its detection on a network. According to reports received from PC security specialists, HAMMERTOSS may hide in multiple network traffic streams. This is a complicated task, requiring a sophisticated approach that is definitely not the work of amateurs. PC security researchers suspect that HAMMERTOSS is the work of a Russian group that specializes in advanced persistent threat campaigns. This group is known as APT29 and has continually developed HAMMERTOSS to circumvent new security measures developed by security researchers. In the case of the newest HAMMERTOSS attacks, this group uses online services such as GitHub and Twitter as well as cloud platforms and other layers of concealment to blend HAMMERTOSS' activity into the normal network noise that one would find on a corporate network. To do this, HAMMERTOSS communicates with its Command and Control server infrequently, joining the communications stream used by other sources on the affected network.
Whar is the Purpose of HAMMERTOSS
HAMMERTOSS first appeared in early 2015. APT29, responsible for HAMMERTOSS attacks, used two different backdoor infections to infiltrate the computer user's network. PC security researchers believe that the original purpose of HAMMERTOSS was to keep a backdoor open and enable execution of commands as a backup to other methods. However, since then HAMMERTOSS has become the main actor in these attacks. HAMMERTOSS uses several known tactics to obfuscate its own activities. HAMMERTOSS may retrieve legitimate commands using social media communications, check with several Twitter accounts to receive communications, and use a schedule that decreases the likelihood of detection. HAMMERTOSS received attention earlier in the year because HAMMERTOSS may receive orders using online images containing hidden data embedded into them.
Once HAMMERTOSS has infected a computer, HAMMERTOSS will attempt to remain undetected as long as possible. HAMMERTOSS is designed to gather the victims' files and then upload it to several cloud service accounts belonging to APT29. It can be nearly impossible to shut down all threatening Twitter handles that have been linked to HAMMERTOSS. Each infection instance may create hundreds of corrupted Twitter accounts, often only using less than ten to receive and relay communications.
Who is Responsible for HAMMERTOSS?
Due to the schedules involved in HAMMERTOSS attacks and the targets of these attacks, it is highly likely that HAMMERTOSS' creators are located in Russia. APT29 is a group that has shown remarkable discipline in preventing PC security investigators from stopping their attacks. They've also adapted to numerous security innovations that have appeared since APT29's first appearances in 2014. One of the reasons why APT29 has remained so effective is that it only uses compromised servers for its activities, never using its own machines. They also update their threats rapidly, using quick development cycles to try to be one step ahead of security researchers. A highly capable group with sophisticated tools and resources at their disposal created HAMMERTOSS. To prevent HAMMERTOSS attacks, PC security researchers recommend the use of strong security software that is fully up-to-date. Malware analysts should also be aware of the distinctive way HAMMERTOSS hides its network traffic in its attacks.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.