Cyble Research and Intelligence Labs uncovered a cyber-espionage campaign targeting defense systems using a weaponized ZIP file disguised as a Belarusian military document. The operation employed advanced obfuscation, covert tunneling through Tor, and persistence techniques reminiscent of Sandwormβs tactics, raising concerns about state-sponsored espionage efforts. #Sandworm #BelarusianMilitary
Keypoints
- The attack involved a malicious ZIP archive mimicking a Belarusian military document to deceive victims.
- It used an obfuscated PowerShell script and environment checks to evade automated detection systems.
- Persistence was maintained through scheduled tasks deploying OpenSSH and a modified Tor client, creating hidden SSH and Tor services.
- The malware employed obfs4 protocol to anonymize Tor communications and exfiltrate data via .onion addresses.
- Defense recommendations include filtering nested ZIP files, verifying document authenticity, and monitoring Tor traffic.
Read More: https://thecyberexpress.com/belarus-military-hit-by-ssh-tor-backdoor/