A new breed of sophisticated malware is pretending to be a real person in order to spy on its victims longer.
Researchers at FireEye discovered the particular strain of malware can hide' in network traffic such as Twitter and GitHub after it has been installed on machines, watching what users are doing for as long as it wants, going undetected by antivirus tools.
Starting by scouring Twitter streams for specific messages sent by hackers, these give it its instructions, before it explores GitHub for an image that includes code to perform the next stage of its attack.
This image instructs the malware to upload confidential files from organisations' computer systems onto a cloud-based server that the hacking group has access to, without anyone noticing at all.
FireEye believes Russian hacker group APT29 (possibly sponsored by the government) are behind the malicious program that uses advanced persistent threat (APT) campaigns to spy on people and can therefore run under the radar.
It can then "relay commands and extract data from compromised networks," when it wishes.
"We really think Hammertoss exemplifies the way [state-sponsored] actors are moving in a way that more easily evades and avoids traditional defenses," said Jordan Berry, a threat researcher at FireEye.
However, the malware is only targeting limited numbers of, but sizeable targets so it continues to go undetected by detection software. If it were to target a higher-volume of smaller targets, it would be more likely to be discovered and a fix rolled out.
"While other APT groups try cover their tracks, very few groups show the same discipline to thwart investigators and the ability to adapt to network defenders' countermeasures," FireEye said.
