Security experts alerted of a dangerous new infection methodology known as the Twittersploit Attack. In the center of it all is the use of several malware instances that use the Twitter social network service as a C&C (command and control) server interface. The analysts note that a complex behavior pattern is being executed upon the time of infection.
The Malware Behind the Twittersploit Attack
One of the first malicious instances that are used in the attacks is called CozyCar (also known as CozyDuke). It was used primarily by the APT hacking collective from 2015 to 2015 and represents a modular framework that can be customized according to the unique characteristics of the ongoing targets. One of the highlights behind it is the fact that the dropper used by this malware performs a stealth protection module which will scan the infected computer for any security software and services that can interfere with its correct execution. The CozyCar threat looks for anti-virus programs or sandbox environment and if any are found the attack will conceal itself and stop running. This is done in order to avoid system administrators from finding out that there has been a weakness in the system.
The main engine is obfuscated with a rotating cipher which makes it very hard to identify the infections. The dropper also uses a malicious of the rundll32.exe system service in order to execute the main component. It is also automatically started once the computer boots, this is done via Windows Registry changes. It is set as a scheduled service and a scheduled task. The main method of communication to the hacker-controlled server is via a normal connection or a secure interface. The CozyCar malware allows the hackers to execute arbitrary commands. The other dangerous module associated with it is the use of an information stealing mechanism. It can harvest both credentials stored in the operating system and certain applications and services installed by the users.
The next malware used in the attack is called HAMMERTOSS and is made by the same collective. One of the unique features behind it is that it downloads its associated modules from various web resources such as Twitter and GitHub. The main binary contains a function that generates a different Twitter handle for the performed checks. The dropper uses a secured connection in order to connect to the hacker-controlled services. Like the previous instance it obfuscates itself in image files. Instead of the common cmd.exe run commands HAMMERTOSS utilizes PowerShell, allowing the hackers behind the attacks to execute complex scripts. The security analysis has identified that the engine uses a custom encryption protocol. Any captured files are first uploaded to hacker-controlled (or hijacked) web cloud storage platforms. From there on they can retrieve it later.
The MiniDuke malware used by APT in the period 2010-2015 consists primarily of downloaders and backdoor components. It is an efficient tool for deploying a variety of threats — from ransomware to Trojans and rootkits. Its interesting to note that it implements a fallback channel used to identify the C&C servers. If the ones hosted on Twitter do not respond then the MiniDuke malware will automatically trigger a Google Search query using specific content that can identify them. This makes the Twittersploit attack particularly effective. When downloading backdoors to the infected systems they are encrypted in GIF files.
The last module used in the attacks is called OnionDuke, it was used as a primary payload during several campaign occurring in 2013-2015. The encrypted connections as well as downloading various payloads to the machines. The malware is capable of posting messages in an automated manner to the VKontakte social media site. It’s main function is to extract credentials and private information.
Consequences of the Twittersploit Attack
One of the main reasons why the Twittersploit attack is particularly effective in causing many infections. The method overcomes the traditional blacklists of hacker-controlled URLs. To effectively block the attacks from occurring the network administrators will have to block access to the Twitter social network.
Encrypted communications are difficult to trace and analyze. The fact that the Twitter communications can use multiple handles shows that a complex engine has been programmed. Communications usually follows an established model of bi-directional commands. A common tactic is to first report the infection and then listen in for any commands. A proof-of-concept code shows that an implementation using these tools is simple to do and possible by malicious actors at any skill level, as long as they have access to the APT tools.
The Twittersploit attack is an effective solution for carrying out complex infections. The fact that all main tools are being used by the APT group shows that there is clear criminal intent in their use. Without regard to the initial delivery network a successful intrusion can be used to intrude whole networks at once. Given the available resources and functions use of the various malware can be used for extracting sensitive information and deploying other viruses.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: