A financially motivated menace actor has been linked to an ongoing phishing electronic mail marketing campaign that has been ongoing since at the very least July 2024 particularly focusing on customers in Poland and Germany.
The assaults have led to the deployment of varied payloads, comparable to Agent Tesla, Snake Keylogger, and a beforehand undocumented backdoor dubbed TorNet that is delivered via PureCrypter. TorNet is so named owing to the truth that it permits the menace actor to speak with the sufferer machine over the TOR anonymity community.
“The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence,” Cisco Talos researcher Chetan Raghuprasad mentioned in an evaluation revealed at the moment.
“The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.”
The place to begin of the assaults is a phishing electronic mail bearing pretend cash switch confirmations or order receipts, with the menace actor masquerading as monetary establishments and manufacturing and logistics corporations. Hooked up to those messages are recordsdata with the extension “.tgz” in a possible try to evade detection.
Opening the compressed electronic mail attachment and extracting the archive contents results in the execution of a .NET loader that, in flip, downloads and runs PureCrypter straight in reminiscence.
The PureCrypter malware then proceeds to launch the TorNet backdoor, however not earlier than performing a collection of anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the sufferer machine to fly underneath the radar.
“The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network,” Raghuprasad famous. “It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions.”
The disclosure comes days after the menace intelligence agency mentioned it noticed a surge in electronic mail threats leveraging hidden textual content salting within the second half of 2024 with an intent to sidestep model title extraction by electronic mail parsers and detection engines.
“Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords,” safety researcher Omid Mirzaei mentioned. “The idea is to include some characters into the HTML source of an email that are not visually recognizable.”
To counter such assaults, it is really helpful to develop superior filtering methods that may detect hidden textual content salting and content material concealment, together with detecting use of CSS properties like “visibility” and “display,” and undertake visible similarity detection method (e.g., Pisco) to reinforce detection capabilities.
