New Stealthy Malware Leveraging SSH Over TOR Attacking Ukrainian Military

Researchers recently discovered a malicious campaign targeting Ukrainian military personnel through fake “Army+” application websites, which host a malicious installer that, upon execution, extracts the legitimate application alongside the Tor browser.

The installer includes a PowerShell script that indicates the Tor browser’s inclusion is not for legitimate use, suggesting it’s likely intended for covert communication or data exfiltration by the attackers. 

ArmyPlusInstaller initiates the installation process by launching a decoy application, ArmyPlus.exe, while simultaneously running a PowerShell script named init.ps1 in the background.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

To conceal its activity, ArmyPlusInstaller executes cmd with the /min parameter, minimizing the console window and enabling PowerShell to bypass its default security restrictions, which is crucial as PowerShell, unlike the Windows Command Prompt, has stringent security measures in place for script execution.

To override these ...