
A financially motivated cybercriminal is currently conducting a phishing campaign that has been active since at least July 2024, primarily targeting users in Poland and Germany. This campaign has resulted in the deployment of various types of malware, including Agent Tesla, Snake Keylogger, and a newly discovered backdoor named TorNet. TorNet is particularly notable as it enables the attacker to interact with infected machines through the Tor anonymity network.
According to cybersecurity researcher Chetan Raghuprasad from Cisco Talos, the attacker employs a Windows scheduled task on the victim’s system, which allows them to maintain persistence even on devices with low battery levels. Furthermore, the attacker disconnects the affected machines from the internet before executing the malicious payload and then reconnects them. This tactic is designed to evade detection by cloud-based antimalware solutions.
The phishing emails utilized in this campaign often disguise themselves as legitimate communications from financial institutions or logistics companies, featuring fake confirmations of money transfers or shipment orders. These emails typically include attachments with the ".tgz" file extension, likely aimed at escaping detection mechanisms.
When a victim opens the compressed attachment and extracts its contents, a .NET loader is executed. This loader subsequently downloads and executes PureCrypter directly in the system’s memory. Following this, PureCrypter launches the TorNet backdoor while performing several anti-debugging and anti-analysis checks to remain undetected.
The TorNet backdoor can connect to a command and control (C2) server and uses the TOR network to communicate with the victim’s machine. It also has the capability to receive and execute arbitrary .NET assemblies sent from the C2 server, substantially widening the attack surface for potential further intrusions.
The disclosure of this campaign follows a noted increase in email threats utilizing hidden text techniques to bypass detection by email parsers and spam filters. Researchers recommend developing advanced filtering methods to identify such tactics, including the detection of CSS properties that can obscure content.
To combat these kinds of threats effectively, organizations are encouraged to implement sophisticated filtering techniques along with enhanced monitoring for suspicious email behavior.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.