Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector

MITRE Techniques

• [T1566] Phishing – Malicious ZIP archive disguised as a PDF military document (“Malicious ZIP archive disguised as a PDF military document”).
• [T1204.002] User Execution: Malicious File – Victim opens LNK believing it to be a PDF, which triggers execution (“The victim opens the LNK file, believing it to be a legitimate PDF document”).
• [T1059.001] Command and Scripting Interpreter: PowerShell – LNK executes embedded PowerShell to extract and run the payload (“LNK file executes embedded PowerShell commands to extract and execute a malicious payload”).
• [T1053.005] Scheduled Task/Job: Scheduled Task – Creates scheduled tasks that run on logon and daily at 10:21 AM UTC for persistence (“Creates scheduled tasks triggering on logon and daily at 10:21 AM UTC to maintain persistence”).
• [T1036.005] Masquerading: Match Legitimate Name or Location – Uses legitimate-sounding filenames (githubdesktop.exe, pinterest.exe) to disguise malicious binaries (“Uses legitimate software names (githubdesktop.exe, pinterest.exe) to disguise malicious binaries”).
• [T1497] Virtualization/Sandbox Evasion – Checks for >=10 LNK files and >=50 processes to detect and evade sandbox environments (“Checks for a minimum of 10 LNK files and 50 processes to detect sandbox environments”).
• [T1027] Obfuscated Files or Information – Uses nested archives, randomized filenames, and obfuscated PowerShell to evade detection (“Uses nested archives, randomized filenames, and obfuscated PowerShell to evade detection”).
• [T1070.004] Indicator Removal on Host: File Deletion – Executes from %AppData% with hidden folders to minimize forensic footprint (“Executes from %AppData% with hidden folders to minimize forensic footprint”).
• [T1552.004] Unsecured Credentials: Private Keys – Deploys pre-generated RSA private keys embedded in the archive for SSH authentication (“Deploys pre-generated RSA private keys for SSH authentication embedded in malware archive”).
• [T1071.001] Application Layer Protocol: Web Protocols – Uses curl over Tor to register victim with attacker C2 (“Uses HTTPS via curl to register the victim with the attacker’s C2 infrastructure”).
• [T1573.002] Encrypted Channel: Asymmetric Cryptography – Establishes SSH connections using RSA key-based authentication for secure C2 (“Establishes SSH connections using RSA key-based authentication for secure C2”).
• [T1090.003] Proxy: Multi-hop Proxy – Routes C2 traffic through the Tor network via a local SOCKS5 proxy for anonymization (“Routes all C2 traffic through the Tor network using a SOCKS5 proxy for anonymization”).
• [T1572] Protocol Tunneling – Tunnels SSH, RDP, SMB, and SFTP through Tor hidden service .onion addresses (“Tunnels SSH, RDP, SMB, and SFTP through Tor hidden service .onion addresses”).
• [T1095] Non-Application Layer Protocol – Uses obfs4 pluggable transport to disguise Tor traffic (“Uses obfs4 pluggable transport to disguise Tor traffic as benign communications”).
• [T1041] Exfiltration Over C2 Channel – Exfiltrates data via SFTP subsystem routed through the Tor hidden service (“Exfiltrates data via SFTP subsystem routed through Tor hidden service”).
• [T1048.002] Exfiltration Over Alternative Protocol – Uses SSH/SFTP for encrypted data exfiltration separate from primary C2 channel (“Uses SSH/SFTP for encrypted data exfiltration, separate from the primary C2 channel”).
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Exposes SMB (port 445) through Tor for network share access and lateral movement (“Exposes SMB port 445 through Tor for network share access and lateral movement”).
• [T1021.001] Remote Services: Remote Desktop Protocol – Provides RDP access via Tor forwarding to local RDP for interactive control (“Provides RDP access on port 3389 through Tor for interactive system control”).