How The Russian Abused Twitter as C&C in Hammertoss Malware? Python Answers

Pierluigi Paganini November 25, 2015

Today, we will replicate a technique which has been used by recent, sophisticated and hard to trace a Russian malware called Hammertoss.

Today, we will replicate a technique which has been used by recent, sophisticated and hard to trace a Russian malware called Hammertoss, the creators of this malware has abused multiple well-known sites like Twitter and Github to defeat modern firewalls and torture whoever tracing their tracks.

In a nutshell, instead of getting a direct reverse connection back to the C&C server similar to what traditional malware does, this smart malware will jump between third party servers to perform its malicious activity, please take two minutes and watch this[https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html/] short explanatory video from Fireeye so you will get a quick overview how the malware works.

Before the fun begins, I just want to mention that this code is a part of my new training course on Udemy called “Python for Offensive Pentest: A Complete Practical Course.

All right, so the first stage of Hammertoss was to connect to a Twitter looking for a tweet created by the hackers which contains a URL for an image and hashtag as a part of the encryption key. Technically speaking, you don’t need to login into Twitter to parse someone’s tweet, so in this case, we just need to figure out the account URL to navigate and the HTML tags which contain the actual tweet, Keep in mind you can add other twitter accounts to hide the original one (which belongs to the hacker).

Obviously you should never your personal account while doing similar stuff, that’s why I created a new account holding my name and here’s is the link to my twitter home page:

https://twitter.com/HussamKhrais

Now from my Kali machine, I made a tweet saying “Hello from kali python” then I logged out, at this point once we click on the above URL, we should see something similar to this output

Hammertoss malware Pyton poc 1

Now using your browser you can view the HTML source code of this page, in Chrome just do a right click anywhere in the page and select “View page source” or Ctrl+U for short, in the HTML if we search for our tweet, we will get the below HTML line:-

<meta name="description" content="The latest Tweets from Hussam Khrais (@HussamKhrais): &quot;Hello from kali python&quot;">

Hammertoss malware Pyton poc 2

So technically if we code a simple script that will navigate to https://twitter.com/HussamKhrais

And retrieve the HTML page, then inside the HTML if we search for meta tag called name that has a value of description and asked for the value of content, then we should be able to grab our tweet.

Let’s translate this action to a code:-

  1. fromBeautifulSoup import BeautifulSoup as soupy #1
  2. importurllib  #2
  3. html = urllib.urlopen(‘https://twitter.com/HussamKhrais’).read() #3
  4. soup = soupy(html)  #4
  5. x = soup.find(“meta”, {“name”:”description”})[‘content’]  #5
  6. print x #6

1# Import soupy function from BeautifulSoup library, we will use this function to search for the html tags

2# Import urllib which will be used to navigate to our twitter page and grab the html for us

3# Navigate to my twitter home page HussamKhrais, store the HTML page into html variable

4# Pass it to soupy function so we can parse it

5# Here we search for the HTML meta tags

6# Print the result out

The output for running the script would be

Hammertoss malware Pyton poc 3

At this point, since we are only interested in having the string between the quotation marks, we can filter it out using regular expression, and that is exactly what the below script will do for us

  1. importre
  2. filter = re.findall(r'”(.*?)”‘,x)
  3. tweet =  filter[0]
  4. print tweet

the “findall” function will grab the string between the ” ” and store it in a list data type called filter, finally we print the exact tweet.

After putting all the script pieces together, we got the below result

Hammertoss malware Pyton poc 4

Please feel free to download the script and give it a try on your own tweet!

Now think about it for a second, can we use twitter to replace DDNS? Well, what will happen if we replace “Hello from kali python” with the attacker public IP, and each time the attacker IP changes, all what he needs to do is to send a tweet with the new IP to get the reverse connection for his victim!

A question for you

After reading this article, do you think that can you code in Python a complete AV free remote shell and exfiltrate data without even having a single direct connection with your target? Please share your thoughts.

If you are interested on the topic you can go deeper following the course “Python For Offensive PenTest: A Complete Practical Course

Hammertoss malware Pyton poc 5

 

About the Author Hussam Khrais

Hussam Khrais is a senior security engineer with over 4 years in penetration testing, Python scripting and network security where he spends countless hours in forging custom hacking tools in Python.
Hussam currently holds the following certificates in information security:-
-GIAC Penetration Testing – GPEN
-Certified Ethical Hacker – CEH
-Cisco Certified Network Professional – Security (CCNP Security)

Edited by Pierluigi Paganini

(Security Affairs – Hammertosspyton)



you might also like

leave a comment