This article is more than 1 year old
Hack like HammerToss: Students spin social media into data siphons
Ruskie hack team might have cash, but you just need GITHUB
A sextet of security students have released a tool that spins social media networks into stealthy data siphons, a technique already in use by an elite Russian hacking group.
The tool released at BSides Las Vegas this week helps hackers emulate the data pillaging tactics of the HammerToss crime group. FireEye last week described its social media siphon tricks as marking the group's elite status.
The student's Sneaky Creeper Python tool in development prior to the HammerToss revelations allows hackers to move data in and out of popped networks over Tumblr, Twitter and SoundCloud.
The social network channels help keep data movements under the radar, according to the team from Franklin W Olin College of Engineering in Massachusetts.
"It is a data exfiltration framework that that uses social media to move your information in and out, for command and control … it does encoding and is really flexible and adaptable," researcher Dakota Nelson said.
"It is a framework designed to have modules added as they are needed. From the network perspective it looks like someone uploading to SoundCloud as normal, with nothing unusual going on, but you're one command line from pulling that data out."
The team includes Nelson, Byron Wasti, Gabe Butterick, Nick Francisci, Bonnie Ishiguro and Nora Mohamed.
Sneaky Creeper is functional but requires much polishing and can be compiled to a Linux binary with a Windows port in the works. It uses RSA and Base64 encoding, along with steganography which can hide data within sounds and images.
"It is kinda cool that you can encode the data as sound and upload it to SoundCloud and download it later," said Butterick.
"If you played the music it sounds terrible."
The Twitter module can issue and pull down encoded tweets from an attacker's Twitter account of choice.
"It is a new type of attack vector, and we're trying to bring attention to it," Wasti said.
The team will consider working on "push-button" exfiltration for the ultra-lazy hacker described as a "one-stop-shop" for manual theft.
They asked the security community to contact the team for any advice or comment that would help with their exfiltration works. ®