|
gptkbp:instanceOf
|
malware
|
|
gptkbp:abilities
|
file upload
data exfiltration
screenshot capture
remote command execution
file download
|
|
gptkbp:alsoKnownAs
|
HAMMERTOSS malware
|
|
gptkbp:attributedTo
|
Russian state-sponsored actors
|
|
gptkbp:commanded
|
gptkb:GitHub
gptkb:Twitter
Cloud storage services
|
|
gptkbp:deliveredBy
|
malicious websites
phishing emails
|
|
gptkbp:firstReported
|
2015
|
|
https://www.w3.org/2000/01/rdf-schema#label
|
HAMMERTOSS
|
|
gptkbp:notableFeature
|
multi-stage infection process
uses images on social media for C2
|
|
gptkbp:operatingSystem
|
gptkb:Windows
|
|
gptkbp:referencedIn
|
gptkb:MITRE_ATT&CK
FireEye report
|
|
gptkbp:socialMedia
|
true
|
|
gptkbp:status
|
active (as of 2015)
|
|
gptkbp:tactics
|
gptkb:Defense_Evasion
gptkb:library
gptkb:Command_and_Control
Exfiltration
Persistence
|
|
gptkbp:target
|
gptkb:energy
government organizations
military organizations
defense sector
diplomatic entities
|
|
gptkbp:technique
|
T1027
T1059
T1071
T1105
T1095
|
|
gptkbp:usedBy
|
gptkb:Cozy_Bear
gptkb:APT29
gptkb:The_Dukes
|
|
gptkbp:usesCloudServices
|
true
|
|
gptkbp:usesMalware
|
backdoor
remote access tool
|
|
gptkbp:usesSteganography
|
true
|
|
gptkbp:writtenBy
|
gptkb:C++
gptkb:.NET
|
|
gptkbp:bfsParent
|
gptkb:CozyDuke
gptkb:Hammertoss
|
|
gptkbp:bfsLayer
|
7
|