Sandworm Uses SSH-over-Tor for Stealthy, Long-Term Persistence
Key Takeaways The state-sponsored threat group Sandworm has deployed a sophisticated new campaign leveraging SSH and Tor for highly stealthy, long-term persistence within victim networks. Targets...
Key Takeaways
- The state-sponsored threat group Sandworm has deployed a sophisticated new campaign leveraging SSH and Tor for highly stealthy, long-term persistence within victim networks.
- Targets include government, diplomatic, energy, and research sectors, with the primary objective of intelligence theft.
- The attack initiates via spear-phishing emails containing a malicious ZIP archive that deploys a multi-component toolkit, including disguised OpenSSH and Tor servers.
- This advanced method creates a double-encrypted, anonymous command-and-control channel, allowing attackers to bypass traditional network defenses and exfiltrate data undetected.
- Defenders must implement enhanced email security, advanced endpoint detection, and robust network traffic analysis to counter these refined tactics.
Sandworm Elevates Persistence Tactics with SSH-over-Tor Tunnels
The notorious state-sponsored hacking collective Sandworm, also known by aliases such as APT-C-13 and FROZENBARENTS, has launched an advanced cyber espionage campaign. This operation marks a significant evolution in the group’s tradecraft, utilizing an intricate combination of SSH and Tor tunneling to establish deeply embedded, persistent access within targeted networks, effectively operating under the radar of conventional security measures.
Table Of Content
This latest campaign represents a strategic shift for Sandworm, moving beyond simpler malware callbacks to a highly anonymized, encrypted remote control infrastructure. This sophisticated setup is designed to maintain covert operations and exfiltrate sensitive data without triggering alerts from enterprise firewalls or network monitoring systems.
Sandworm’s History of Espionage
Active since at least 2014, Sandworm has consistently focused its efforts on acquiring political, military, and technological intelligence. Its historical targets predominantly include government entities, diplomatic missions, energy providers, and research institutions.
Advanced Infiltration and Evasion Techniques
In this recent offensive, Sandworm refined its intrusion methodologies by deploying dual-layer anonymous tunnels. These tunnels are meticulously engineered to mimic legitimate network traffic, allowing them to blend in and avoid detection.
The attack chain typically commences with a spear-phishing email. This email delivers a ZIP archive that, upon extraction, silently installs a suite of malicious tools. Simultaneously, a legitimate-looking decoy document is displayed to the unsuspecting victim, maintaining cover during the compromise.
Analysts at the 360 Advanced Threat Research Institute meticulously examined several malicious samples associated with this campaign. Their findings highlight Sandworm’s use of nested SSH and Tor tunneling to construct a double-encrypted, anonymous channel between the attacker’s infrastructure and the compromised host. This architecture grants the attackers unfettered access to victim systems, enabling them to extract sensitive information while circumventing standard traffic inspection tools and network alerts.
Execution Flow and Persistent Foothold
The initial malicious payload is contained within a ZIP archive named “Iskhod_7582_Predstavlenie_na_naznachenie.zip,” identified by the MD5 hash 2156c270ffe8e4b23b67efed191b9737. Inside this archive, Sandworm conceals a malicious LNK shortcut, cleverly disguised as a PDF document, alongside a deceptive folder named “$RECYCLE.BIN” designed to mimic the legitimate Windows Recycle Bin directory.
When a victim clicks the LNK file, the entire attack toolkit is silently deployed in the background. Concurrently, the genuine decoy PDF opens, distracting the user and preventing immediate suspicion of the ongoing installation.
The ultimate impact of this attack is severe. Once the toolkit is established, attackers achieve persistent control over the victim’s internal network. This control facilitates lateral movement, access to sensitive files, and remote desktop operations.
Crucially, local ports such as SMB (445) and RDP (3389) are mapped to a dark web Onion address. This configuration allows the attackers to connect from any global location via the Tor network, effectively bypassing all inbound firewall protections.
How Sandworm Achieved Persistent Hidden Access
The sophistication of Sandworm’s latest campaign is most evident in its method for embedding long-term access within compromised systems, utilizing tools disguised as benign applications.
Following the execution of the LNK file, a primary control script, “currentSessionTrigger,” is activated. This script first performs environmental checks, looking for at least 10 recent .lnk files and 50 or more active processes, a tactic likely designed to evade sandbox environments. If these checks are successful, the script registers two scheduled tasks: “OperagxRepairTask” and “DropboxRepairTask.” These tasks are deliberately hidden from the default Task Scheduler view, ensuring that the malicious payloads are launched automatically each time the user logs in.
These scheduled tasks initiate two disguised executables: “operagx.exe,” which is an OpenSSH daemon, and “dropbox.exe,” which functions as a Tor server. A third file, “safari.exe,” acts as an obfs4 traffic obfuscation plugin. This plugin transforms all Tor traffic into random TCP streams, a technique employed to bypass advanced enterprise firewalls and deep packet inspection systems. Additionally, “obsstudio.exe” serves as an SFTP server, facilitating covert file transfers. The SSH daemon is specifically configured to listen only on the local loopback port 20321, rendering it invisible to external network scans.
Upon the activation of the Tor service, a hidden .onion hostname is generated. The main control script then reads this hostname and transmits the victim’s identity details to a hardcoded command-and-control (C2) address: kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion. This communication is performed using ‘curl’ with aggressive retry settings, thereby establishing a permanent, encrypted, and highly resilient shadow control channel within the victim’s network.
What You Should Do
- Regularly audit scheduled tasks on all endpoints for suspicious entries, especially those impersonating legitimate applications like web browsers or cloud storage services.
- Configure network firewalls and intrusion detection/prevention systems to identify and block known Tor and obfs4 traffic patterns at the network perimeter.
- Implement continuous security awareness training for all employees, emphasizing the dangers of opening ZIP attachments from unknown or unexpected senders, particularly those containing LNK shortcuts disguised as documents.
- Deploy advanced endpoint detection and response (EDR) solutions capable of identifying unusual SSH server processes, especially those running from non-standard directories like AppData or utilizing non-default port configurations.
- Maintain up-to-date threat intelligence feeds to stay informed about the latest Sandworm tactics, techniques, and procedures (TTPs).
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.