New TorNet Backdoor Exploits TOR Community in Superior Phishing Assault

Superior phishing marketing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly recognized TorNet backdoor through .tgz attachments. All by leveraging PureCrypter and TOR community for stealthy C2.

A malicious marketing campaign, found by Cisco Talos in July 2024, focused customers primarily in Poland and Germany by means of phishing emails containing malicious attachments disguised as.tgz recordsdata. These emails impersonate monetary establishments and companies, typically with themes like cash switch confirmations or order receipts. They’re primarily written in Polish and German and include compressed.tgz recordsdata.

In keeping with Cisco Talos’ analysis, shared with Hackread.com forward of its publishing on Tuesday 28, the actor has deployed different payloads as nicely, together with “Agent Tesla, Snake Keylogger and a brand new undocumented backdoor, which researchers dubbed TorNet. 

When a person extracts an attachment from a file, a.NET executable file seems, which downloads the following stage of the assault, the PureCrypter malware, from a distant server or inside the loader itself (decrypted utilizing the AES algorithm and loaded into the focused machine’s reminiscence). 

The PureCrypter malware is a Home windows dynamic-link library obfuscated with Eziriz’s.NET Reactor obfuscator. It incorporates encrypted binaries of official DLLs, together with Protobuf-net and Microsoft job scheduler DLL, and the TorNet backdoor.

PureCrypter employs varied evasion methods, together with disconnecting the sufferer’s machine from the community earlier than dropping payloads, checking for a digital machine, sandbox atmosphere, or debugger standing, and modifying Home windows Defender settings. It ensures persistence by making a scheduled job that runs each jiffy, even on low battery, and including entries to the Home windows registry to make sure the loader runs on startup. 

Furthermore, it drops the TorNet backdoor, which is a comparatively new .NET backdoor used on this assault to connect with a C2 server over the TOR community for stealthy communication. It anonymizes the communication with the C2 server, making detection more durable. After establishing a connection, it sends figuring out data and permits attackers to hold out distant code execution by sending arbitrary.NET assemblies to the C2 server, therefore, increasing the assault floor considerably.

The marketing campaign makes use of superior methods like community disconnections, Tor community exploitation, and multi-stage payloads. The usage of the Tor community additional hinders monitoring/disruption. This marketing campaign highlights the necessity for steady warning and community monitoring to handle attackers’ rising menace techniques.

RELATED TOPICS

1. New WarmCookie Malware in Espionage Marketing campaign
2. 23% of Tor browser relays discovered to be stealing Bitcoin
3. Kronos Variant banking trojan noticed utilizing Tor community
4. Pretend Tor Browser Installer Spreading Malware By way of YouTube
5. BlackByte Ransomware Exploits VMware Flaw in VPN Assaults