ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool HammerDuke

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: HammerDuke

NamesHammerDuke
HAMMERTOSS
NetDuke
tDiscoverer
CategoryMalware
TypeBackdoor, Loader
Description(F-Secure) HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke. Specifically, the only known infection vector for HammerDuke is to be downloaded and executed by CozyDuke onto a victim that has already been compromised by that toolset. This, together with HammerDuke’s simplistic backdoor functionality, suggests that it is primarily used by the Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the initial infection and stole any readily available information from them.

HammerDuke is however interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.

HammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke toolsets. Both OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names and then searched for any tweets from those accounts that linked to image files. In contrast however, for OnionDuke and MiniDuke the linked image files contain embedded malware to be downloaded and executed, rather than instructions.
Information<https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf>
<https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf>
<https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0037/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:HammerDuke>

Last change to this tool card: 24 April 2021

Download this tool card in JSON format

All groups using tool HammerDuke

ChangedNameCountryObserved

APT groups

 APT 29, Cozy Bear, The DukesRussia2008-Jul 2021 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key