New TorNet backdoor seen in widespread campaign

Jan. 29, 2025, 12:32 p.m.

Description

A financially motivated threat actor has been conducting a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The campaign uses phishing emails impersonating financial institutions and companies to deliver various payloads, including a new backdoor called TorNet. The actor employs sophisticated techniques such as disconnecting victims from the network before payload delivery and using the TOR network for stealthy communications. The TorNet backdoor can receive and run arbitrary .NET assemblies, expanding the attack surface. The campaign also utilizes PureCrypter malware, which performs anti-analysis checks and establishes persistence through Windows scheduled tasks. The attackers demonstrate advanced evasion techniques and the ability to adapt their tactics for maximum effectiveness.

Date

  • Created: Jan. 28, 2025, 5:19 p.m.
  • Published: Jan. 28, 2025, 5:19 p.m.
  • Modified: Jan. 29, 2025, 12:32 p.m.

Attack Patterns

  • TorNet
  • Snake Keylogger
  • Agent Tesla - S0331
  • PureCrypter
  • T1053.005
  • T1573.002
  • T1573.001
  • T1218.011
  • T1059.001
  • T1571
  • T1547.001
  • T1012
  • T1497
  • T1071.001
  • T1562.001
  • T1204.002
  • T1102
  • T1055
  • T1140
  • T1027
  • T1566

Additional Informations

  • Transportation
  • Finance
  • Manufacturing
  • Poland
  • Germany