Thursday, January 23, 2025
HomeCyber AttackNew Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military

New Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military

Published on

SIEM as a Service

Follow Us on Google News

Researchers recently discovered a malicious campaign targeting Ukrainian military personnel through fake “Army+” application websites, which host a malicious installer that, upon execution, extracts the legitimate application alongside the Tor browser. 

The installer includes a PowerShell script that indicates the Tor browser’s inclusion is not for legitimate use, suggesting it’s likely intended for covert communication or data exfiltration by the attackers. 

Windows executable file

ArmyPlusInstaller initiates the installation process by launching a decoy application, ArmyPlus.exe, while simultaneously running a PowerShell script named init.ps1 in the background.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

To conceal its activity, ArmyPlusInstaller executes cmd with the /min parameter, minimizing the console window and enabling PowerShell to bypass its default security restrictions, which is crucial as PowerShell, unlike the Windows Command Prompt, has stringent security measures in place for script execution. 

To override these safeguards, the script utilizes cmdlets like Get-ExecutionPolicy and Set-ExecutionPolicy to modify the execution policy and grant itself the necessary permissions to proceed.

Communication flow

The malware stealthily distributes its components across three distinct folders and the ArmyPlus directory houses decoy files alongside init.ps1, the core script. 

Init.ps1 orchestrates the setup, where it extracts the Tor browser into the OneDriveData folder, configures it for covert operation, and launches it without a visible window.

Simultaneously, OpenSSH files are placed in the ssh directory, establishing a backdoor for command-and-control. 

Tor’s hostname file within OneDriveData reveals the address of this hidden Tor instance, facilitating secure and anonymous communication over the SSH channel.

hostname file

The malware establishes a persistent backdoor on a Windows 11 system by leveraging Tor for covert communication, which generates an RSA key pair, configures and starts the OpenSSH server, and then sends system information, the public key, and its Tor onion address to a remote server via the Tor network. 

According to the researcher, the remote server uses the private key to securely send commands to the compromised system over the SSH connection, enabling attackers to execute arbitrary commands with high privileges.

It leverages social engineering by disguising malicious activity within a seemingly legitimate application installer, where the installer requests administrative privileges, a common requirement for Windows applications, to establish trust with the user. 

executing ArmyPlus.exe

While the main executable displays a deceptive error message, the true payload resides in a PowerShell script (init.ps1) hidden within the installation package, which effectively conceals the malicious activity from the user while maintaining the appearance of a legitimate software installation.

The attackers exploited legitimate software and native Windows binaries to establish a backdoor on a compromised system and used PowerShell scripts to compress system information into a zip file and send it to the attacker’s TOR control server. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...