Threat Intelligence Garden

HammerDuke

2 min read

HammerDuke

Description

(F-Secure) HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke. Specifically, the only known infection vector for HammerDuke is to be downloaded and executed by CozyDuke onto a victim that has already been compromised by that toolset. This, together with HammerDuke’s simplistic backdoor functionality, suggests that it is primarily used by the Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the initial infection and stole any readily available information from them.

HammerDuke is however interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.

HammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke toolsets. Both OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names and then searched for any tweets from those accounts that linked to image files. In contrast however, for OnionDuke and MiniDuke the linked image files contain embedded malware to be downloaded and executed, rather than instructions.

Names

Name
HammerDuke
HAMMERTOSS
NetDuke
tDiscoverer

Category

Malware

Type

  • Backdoor
  • Loader

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

1e6b6d4a-107d-4162-a46f-364df9138fc0

Last Card Change

2021-04-24

Graph View

Backlinks