Table of Contents
TorNet connects infected machines to the TOR network for command and control (C2) communications and detection evasion.
An ongoing phishing campaign, presumably by an advanced persistent threat (APT) actor, is seen dropping a new backdoor on victim systems enabling stealthy C2 operations.
The backdoor, which Cisco’s Talos Intelligence Unit is tracking as TorNet, was found connecting victim machines to the decentralized and anonymizing TOR network for C2 communications.
“Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language,” Talos researchers said in a blog post.
Other payloads delivered by the actor, within the campaign, include Agent Tesla, and Snake Keylogger.
Delivery through PureCryptor malware
According to Talos researchers, the infection begins with a phishing email, written in German and Polish, where the attacker impersonates financial institutions, manufacturing firms, and logistics companies and sends fraudulent transactional receipts.
Phishing emails carry a compressed “.tgz” attachment which, when opened through manual extraction, leads the victim to execute a .NET loader. This loader then downloads an encrypted PureCrypter malware from a compromised staging server, decrypts it, and runs it in memory.
“The actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections.
In some intrusions, the researchers added, PureCrypter deploys the TorNet backdoor, which connects to a C2 server and links the victim’s machine to the TOR network. TorNet can fetch and execute arbitrary .NET assemblies in memory, expanding the attack surface for further compromise.
Achieving persistence and evasion
The actor was seen picking up multiple techniques for persistence and escaping detection, researchers noted. For starters, they ran malware execution as scheduled tasks on victim machines to ensure persistence despite reboots and user logouts.
“The actor is running a Windows scheduled task on victim machines–including on endpoints with a low battery–to achieve persistence,” said Talos researchers.
Additionally, the attacker disconnects the victim’s machine from the network just before delivering the malware, resuming it after the drop is done. This is done to avoid detection by cloud-based antivirus programs. On top of this, the PureCrypter malware itself performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine, researchers added.
It is important to note that the researchers also found email samples written in English, indicating the campaign’s potential to be used outside of these geographies.
