A recent cybersecurity threat has been identified, targeting users primarily in Poland and Germany. This campaign, discovered by Cisco Talos, is operated by a financially motivated threat actor and has been active since July 2024. The attackers use phishing emails to deliver various malicious payloads, including Agent Tesla, Snake Keylogger, and a newly identified backdoor called TorNet, which is deployed using PureCrypter malware.

Attack Methodology

The campaign begins with phishing emails that impersonate financial institutions and companies in the manufacturing and logistics sectors. These emails, often written in Polish and German, contain attachments with the ".tgz" file extension. This method uses GZIP compression to obscure the malicious content and evade detection by email security systems.

Payload Delivery

When a victim opens the compressed attachment, it downloads an encrypted PureCrypter malware from a compromised server. The malware then decrypts and executes in the system memory, eventually deploying the TorNet backdoor. This backdoor connects the victim's machine to the TOR network, facilitating stealthy command and control (C2) communications.

  • Persistence Mechanism: The attacker uses Windows scheduled tasks to maintain persistence, even on machines with low battery power.
  • Network Evasion: The victim's machine is disconnected from the network before payload deployment, evading cloud-based anti-malware detection.

Technical Details of TorNet Backdoor

The TorNet backdoor is a .NET-based malware that performs several anti-analysis checks to evade detection. It connects to a C2 server using a decoded base64 string to obtain the domain and port number. The backdoor also uses the TOR network to anonymize its communication, making it difficult to trace.

Anti-Analysis Techniques

TorNet employs various methods to avoid detection, including:

  • Anti-Debugging: Checks for debugging processes and sandbox environments.
  • Virtual Machine Detection: Uses WMI queries to identify virtual environments.
  • Windows Defender Modification: Alters settings to exclude its processes from scans.
The link has been copied!