Europeans targeted with new Tor-using backdoor and infostealers
A financially motivated threat actor has been targeting German and Polish-speaking users with info-stealing malware and TorNet, a previously undocumented .NET backdoor that leverages the Tor network to evade detection.
The phishing email
The attacker sends out fake money transfer confirmations and order receipts via email, supposedly sent by financial institutions and manufacturing and logistics companies.
A phishing email used in the campaign (Source: Cisco Talos)
The emails carry a malicious attachment: a TGZ file (GZIP-compressed archive file).
“The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English,” Cisco Talos researchers shared.
Apparently, the campaign has been active since July 2024.
The dropped malware
Users who download the attachment and unzip it trigger a .NET executable, which downloads and runs PureCrypter, a popular malware loader.
PureCrypter is used to download one or more additional malware:
- Agent Tesla – a remote access trojan (RAT) and data stealer
- Snake Keylogger – a credential stealer and keylogger
- TorNet – a never before documented backdoor
PureCrypter, the researchers found, uses a clever technique to prevent cloud-based anti-malware programs from detecting the additional malware it downloads: it orders the target machine to “drop” the currently assigned DHCP IP address and then orders it to renew the IP addess once the malware is up and running.
PureCrypter also performs anti-debugger, anti-analysis, anti-VM, and anti-malware checks before running, and employs several persistence methods.
In terms of capabilities, Agent Tesla and Snake Keylogger are known quantities. The TorNet backdoor, on the other hand, has been found capable of connecting the victim machine to the TOR network and establishing an anonymized connection to the C2 server.
“[TorNet also] has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions,” the researchers found.
Cisco Talos has shared indicators of compromise related to this campaign.