In the world of cyber espionage, the most dangerous threat isn’t the one that breaks your front door—it’s the one that builds a secret tunnel into your basement and lives there for years. Sandworm (also tracked as APT-C-13 and FROZENBARENTS), a notorious state-sponsored threat group active since 2014, has recently unveiled a sophisticated upgrade to its intrusion tactics.
Moving away from traditional, “noisy” malware callbacks, Sandworm is now deploying a dual-layer anonymous tunnel using SSH-over-Tor. By nesting encrypted SSH traffic within the Tor network, these attackers have created a shadow remote-control system that operates silently behind enterprise firewalls.
This blog post deconstructs the technical mechanics of this new tradecraft, analyzes how it bypasses modern defenses, and provides actionable steps for SOC analysts and CISOs to harden their infrastructure.
The Mechanics of the SSH-over-Tor Attack
The core innovation in this campaign is the use of nested tunneling. By combining the robust encryption of SSH with the anonymity of the Tor network, Sandworm effectively neutralizes standard Network Detection and Response (NDR) tools.
How the Double-Encrypted Channel Works
- Encryption Layer 1 (SSH): The attackers deploy an OpenSSH daemon on the victim’s machine. This provides a secure, encrypted shell for executing commands and moving laterally.
- Encryption Layer 2 (Tor): The SSH traffic is routed through a local Tor client. This masks the destination IP of the attacker, making the traffic appear to be headed toward a random Tor relay.
- Obfuscation (obfs4): To ensure the traffic doesn’t “look” like Tor—which many enterprise firewalls block—the group uses an obfs4 plugin. This reshapes the traffic into random-looking TCP streams, successfully bypassing Deep Packet Inspection (DPI).
Step-by-Step Breakdown: The Infection Lifecycle
Phase 1: Delivery and Execution
The attack begins with a classic spear-phishing lure. Victims receive a ZIP archive (e.g., Iskhod_7582_Predstavlenie_na_naznachenie.zip). Inside, the group employs a “double-deception” tactic:
- The LNK File: A malicious shortcut file disguised as a PDF.
- The Fake Folder: A directory named
$RECYCLE.BINto mimic the Windows Recycle Bin, hiding the core toolkit. - The Decoy: Once the LNK is clicked, a legitimate PDF opens to distract the user while the toolkit installs in the background.
Phase 2: Environment Awareness & Anti-Sandbox Checks
Sandworm’s control script, currentSessionTrigger, is designed to evade automated sandbox analysis. It performs “sanity checks” to ensure it is on a human-operated machine:
- Process Count: Checks for ≥50 active processes.
- File History: Checks for ≥10 recent
.lnkfiles in the user profile.
Phase 3: Achieving Persistence
If the environment is deemed “real,” the script registers two hidden scheduled tasks: OperagxRepairTask and DropboxRepairTask. These tasks are configured to run at every user login, ensuring the backdoor survives a reboot.
| Disguised File | Real Identity | Function |
|---|---|---|
operagx.exe | OpenSSH Daemon | Provides remote command execution. |
dropbox.exe | Tor Server | Provides anonymity and firewall bypass. |
safari.exe | obfs4 Plugin | Obfuscates Tor traffic to look like random TCP. |
obsstudio.exe | SFTP Server | Enables silent, encrypted file exfiltration. |
Export to Sheets
Bypassing Inbound Protections: The .onion Backdoor
Standard firewalls are designed to block inbound connections. However, by using Tor, Sandworm reverses the logic. The compromised host reaches outbound to the Tor network and registers a hidden .onion address.
The attacker can then connect to this .onion address from anywhere in the world. The Tor network handles the routing, and the local host maps critical ports—such as SMB (445) and RDP (3389)—directly to the tunnel. This grants the attacker full Remote Desktop access to a machine that, on paper, is completely protected by a perimeter firewall.
Risk Impact Analysis
The deployment of an SSH-over-Tor tunnel represents a critical risk to any organization.
- Long-Term Persistence: Because the traffic blends in with web noise, the dwell time for these intrusions can be measured in months or years.
- Lateral Movement: Mapping SMB and RDP allows attackers to hop from the initial compromised workstation to sensitive servers and domain controllers.
- Data Exfiltration: With an SFTP server (
obsstudio.exe) already in place, the group can leak gigabytes of data through an encrypted channel that looks like generic browser traffic.
Detection and Mitigation Best Practices
To defend against Sandworm’s updated tradecraft, security teams must move beyond simple signature-based detection.
1. Audit Scheduled Tasks
Regularly scan for tasks that impersonate popular software (Opera, Dropbox, Safari) but point to unusual execution paths like \AppData\Local\ or \Temp\. Use tools like PowerShell or EDR to list all tasks hidden from the default GUI.
2. Endpoint Detection (EDR) Patterns
Configure your EDR to alert on:
ssh.exeorsshd.exerunning from non-standard directories.- Processes listening on local loopback ports (e.g., port 20321) that are not associated with known developer tools.
- The presence of
obfs4transport plugins.
3. Network Level Filtering
While obfs4 makes detection difficult, blocking known Tor entry nodes and monitoring for high-frequency outbound curl requests to .onion domains can disrupt the Command and Control (C2) heartbeat.
4. User Awareness Training
The “human firewall” remains the first line of defense. Train employees to recognize that .zip files containing .lnk shortcuts are a high-risk indicator of a phishing attempt.
Frequently Asked Questions (FAQs)
Q1: Why does Sandworm use Tor instead of a standard VPN? A: Tor provides multi-hop anonymity, making it nearly impossible for defenders to trace the C2 server’s actual IP address. Additionally, Tor’s hidden services allow attackers to bypass inbound firewall rules entirely.
Q2: Can standard antivirus detect the obfs4 plugin? A: Not necessarily. Since many of these tools (OpenSSH, Tor) are legitimate software, they may not be flagged as “malicious” by traditional AV. Detection requires behavioral analysis (EDR/XDR).
Q3: What industries are most at risk? A: Sandworm historically targets government, energy, diplomatic, and research sectors, though any organization with high-value IP is a potential target.
Q4: How does the obfs4 plugin bypass Deep Packet Inspection (DPI)? A: It “scrambles” the packet headers and timing, making the traffic look like a stream of random bytes. This prevents DPI from recognizing the characteristic “handshake” of the Tor protocol.
Conclusion: Proactive Defense is Mandatory
The shift toward nested, anonymous tunneling marks a significant escalation in threat detection challenges. Sandworm’s use of SSH-over-Tor demonstrates that even the most “secure” perimeter can be rendered irrelevant by clever outbound tunneling.
Organizations must adopt a Zero Trust mindset—assuming the perimeter is already breached and focusing on detecting the subtle anomalies of internal persistence.
