Ongoing phishing campaign targets Poland and Germany with advanced malware

Ongoing phishing campaign targets Poland and Germany with advanced malware

A financially motivated threat actor has been linked to a sophisticated phishing campaign targeting users in Poland and Germany, with the attacks ongoing since at least July 2024. The operation involves various malicious payloads, including well-known malware like Agent Tesla and Snake Keylogger, as well as a previously undocumented backdoor known as TorNet, delivered via a tool called PureCrypter.

The TorNet backdoor enables communication between the victim's machine and the threat actor over the Tor anonymity network. According to an analysis by Cisco Talos, the threat actor is leveraging multiple techniques to avoid detection by traditional security measures.

In some cases, the attacker runs the Windows scheduled tasks on victim machines, even those with low battery levels, to maintain persistent access. Additionally, the threat actor disconnects the victim's device from the network before dropping the malicious payload and reconnects it afterward, evading detection by cloud-based antivirus solutions.

The phishing emails typically contain fake money transfer confirmations or order receipts. Posing as financial institutions or manufacturing and logistics companies, the emails include compressed attachments with a ".tgz" file extension. This file type is likely used to bypass detection systems that may be trained to flag more common formats like .exe or .zip.

Once the victim opens the attachment and extracts its contents, a .NET loader is triggered. The loader downloads and runs the PureCrypter malware, which, in turn, deploys the TorNet backdoor. Before doing so, the malware performs various checks to ensure that it is not running in a virtual environment or being analyzed by security researchers.

Once the TorNet backdoor is active, it establishes a connection to the command-and-control (C2) server and allows the attacker to execute arbitrary .NET assemblies directly in the victim's memory. This greatly expands the attack surface, providing the attacker with more opportunities for further intrusions and data exfiltration.


Back to the list

Latest Posts

Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025