A financially motivated threat actor has been linked to a sophisticated phishing campaign targeting users in Poland and Germany, with the attacks ongoing since at least July 2024. The operation involves various malicious payloads, including well-known malware like Agent Tesla and Snake Keylogger, as well as a previously undocumented backdoor known as TorNet, delivered via a tool called PureCrypter.
The TorNet backdoor enables communication between the victim's machine and the threat actor over the Tor anonymity network. According to an analysis by Cisco Talos, the threat actor is leveraging multiple techniques to avoid detection by traditional security measures.
In some cases, the attacker runs the Windows scheduled tasks on victim machines, even those with low battery levels, to maintain persistent access. Additionally, the threat actor disconnects the victim's device from the network before dropping the malicious payload and reconnects it afterward, evading detection by cloud-based antivirus solutions.
The phishing emails typically contain fake money transfer confirmations or order receipts. Posing as financial institutions or manufacturing and logistics companies, the emails include compressed attachments with a ".tgz" file extension. This file type is likely used to bypass detection systems that may be trained to flag more common formats like .exe or .zip.
Once the victim opens the attachment and extracts its contents, a .NET loader is triggered. The loader downloads and runs the PureCrypter malware, which, in turn, deploys the TorNet backdoor. Before doing so, the malware performs various checks to ensure that it is not running in a virtual environment or being analyzed by security researchers.
Once the TorNet backdoor is active, it establishes a connection to the command-and-control (C2) server and allows the attacker to execute arbitrary .NET assemblies directly in the victim's memory. This greatly expands the attack surface, providing the attacker with more opportunities for further intrusions and data exfiltration.
