Recently, a malicious campaign was uncovered that targeted Ukrainian military personnel through fake “Army+” application websites. These websites hosted a malicious installer that, upon execution, extracted the legitimate application alongside the Tor browser. The inclusion of the Tor browser indicated that the attackers were likely using it for covert communication or data exfiltration.
The malicious installer, known as ArmyPlusInstaller, initiated the installation process by launching a decoy application, ArmyPlus.exe, while simultaneously running a PowerShell script named init.ps1 in the background. To conceal its activities, the installer executed cmd with the /min parameter, minimizing the console window and bypassing PowerShell’s default security restrictions.
The malware distributed its components across three distinct folders, with the ArmyPlus directory containing decoy files alongside the core script, init.ps1. This script orchestrated the setup by extracting the Tor browser into the OneDriveData folder, configuring it for covert operation, and launching it without a visible window. Simultaneously, OpenSSH files were placed in the ssh directory, establishing a backdoor for command-and-control.
By leveraging Tor for covert communication, the malware established a persistent backdoor on a Windows 11 system. This involved generating an RSA key pair, configuring and starting the OpenSSH server, and sending system information, the public key, and its Tor onion address to a remote server via the Tor network. The remote server then used the private key to securely send commands to the compromised system over the SSH connection, allowing attackers to execute arbitrary commands with high privileges.
The attackers used social engineering tactics to disguise their malicious activity within a seemingly legitimate application installer. By requesting administrative privileges, a common requirement for Windows applications, the installer aimed to establish trust with the user while concealing the true nature of the payload. The main executable displayed a deceptive error message, while the true malicious activity was hidden within the PowerShell script, init.ps1, effectively maintaining the appearance of a legitimate software installation.
Overall, this malicious campaign highlights the growing sophistication of cyber attacks targeting military personnel. By exploiting legitimate software and native Windows binaries, attackers can establish backdoors on compromised systems and exfiltrate sensitive information using covert communication channels. It serves as a stark reminder of the importance of practicing cyber hygiene and remaining vigilant against social engineering tactics employed by malicious actors.