Cb Connect 2018 | Power of You | Register Now


Hunting HammerToss with Carbon Black

Hunting HammerToss with Carbon Black tweet
July 31, 2015 / David Dorsey

HammerToss, a strain of malware believed to be the work of a Russian cyber-spy crew, attempts to hide itself with multiple layers of obfuscation and copying the behavior of legitimate users. HammerToss uses Twitter, GitHub, and cloud storage services to receive commands and to exfiltrate data from compromised systems.

Having visibility into your endpoints enables you to hunt for this malware using more than just network traffic to common sites. With one of the hashes for the malware in hand, we can start hunting for HammerToss simply by looking for that hash.

You can use this search to find it: md5:d3109c83e07dd5d7fe032dc80c581d08

However, searching for hashes is not a very good solution to this problem. If this malware is modified slightly, it will escape this search because variations of it will have different hashes.

However, there are better searches we can do that will be more effective and cast a wider net. The report mentions the filename of the malware is wermgr.exe. This is also the name of a legitimate Windows binary located in Windows\System32. It runs all processes related to the Windows Error Reporting system. Using this knowledge, we can hunt for the malware by looking for all instances of this filename that are not running out of C:\Windows\System32.

process_name:wermgr.exe -path:c:/windows/system32/wermgr.exe

This process also is started by services.exe. So we can alternatively search for all instances of this process that didn’t get started by services.exe.

process_name:wermgr.exe -parent_name:services.exe

Of course, if the file has a different name those searches will not work. One of the key features of HammerToss is its ability to blend in with normal network traffic. HammerToss can communicate with its command-and-control server using twitter and GitHub as intermediaries. HammerToss contains an algorithm that generates Twitter handles telling the malware to visit a specific Twitter handle on a specific day. HammerToss will then go to that Twitter page and look for a tweet that tells it what to do next.

Trying to detect when an endpoint goes to a specific pseudorandom-generated Twitter handle via network traffic is near impossible. The same goes for finding malicious traffic to GitHub,as well. Digging through your proxy logs manually to look for it is an even worse idea.

This is why having visibility into your endpoints is so critical. The tricks malware uses to hide in network traffic can cause it to stick out on the endpoint. Most traffic to these sites comes from browsers.

Using Carbon Black, there are some searches that can be done that would help detect this suspicious traffic. Since we are interested in processes that communicate with these domains that are not browsers, we can use these searches to find these processes.

domain:twitter.com -process_name:chrome.exe -process_name:iexplorer.exe -process_name:firefox.exe -process_name:safari.exe

domain:github.com -process_name:chrome.exe -process_name:iexplorer.exe -process_name:firefox.exe -process_name:safari.exe

Running searches on some local data, we had more than 46,000 processes that communicate with twitter.com. Removing the browser processes in the search above drops the number down to fewer than 1,000, with only 34 unique process names. This is a small enough number that they could be investigated and removed from the search to make it even more powerful.

Without visibility on your endpoints, finding this malware is much more complex. However, as you can see, there are many different ways you can hunt for this malware—if you have visibility on your endpoints. As usual, these searches are merely starting points that will enable you to hunt for and investigate suspicious activity on your endpoints—and then eliminate dangerous files.

TAGS: bit9 / Carbon Black / endpoint security / endpoints / HammerToss / network traffic