Hammertoss implements an algorithm that generates new Twitter handles every day, in this way the C&C server can communicate with Hammertoss by using specific Twitter accounts managed by the APT 29.
The hackers include the command for Hammertoss instances in a tweet containing a URL and a hashtag. The URL leads to an image on a different server that contains data hidden through a steganographic technique.
The hashtag is used to encode the file size of the image and a few characters that should be added to the decryption key stored within Hammertoss in order to allow the extraction of the hidden data.
“The HAMMERTOSS backdoor generates and looks for a different Twitter handle each day. It uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page. If the threat group has not registered that day’s handle, HAMMERTOSS will wait until the next day and look for a different handle” continues the report.
The experts noticed that APT 29 adopted several techniques to remain under the radar, for example Hammertoss is usually only active during the normal working day for infected organization, in this way the malicious traffic results quite difficult to detect.