New TorNet backdoor seen in widespread campaign

Jan. 29, 2025, 12:32 p.m.

Description

A financially motivated threat actor has been conducting a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The campaign uses phishing emails impersonating financial institutions and companies to deliver various payloads, including a new backdoor called TorNet. The actor employs sophisticated techniques such as disconnecting victims from the network before payload delivery and using the TOR network for stealthy communications. The TorNet backdoor can receive and run arbitrary .NET assemblies, expanding the attack surface. The campaign also utilizes PureCrypter malware, which performs anti-analysis checks and establishes persistence through Windows scheduled tasks. The attackers demonstrate advanced evasion techniques and the ability to adapt their tactics for maximum effectiveness.

External References

https://blog.talosintelligence.com/new-tornet-backdoor-campaign/
https://otx.alienvault.com/pulse/6799119e1ef4b5b2bb7332f2
Tags
backdoor
phishing
evasion
poland
purecrypter
agent tesla
snake keylogger
2025-01-28
tornet
tor network

Date

  • Created: Jan. 28, 2025, 5:19 p.m.
  • Published: Jan. 28, 2025, 5:19 p.m.
  • Modified: Jan. 29, 2025, 12:32 p.m.

Attack Patterns

  • TorNet
  • Snake Keylogger
  • Agent Tesla - S0331
  • PureCrypter
  • T1053.005
  • T1573.002
  • T1573.001
  • T1218.011
  • T1059.001
  • T1571
  • T1547.001
  • T1012
  • T1497
  • T1071.001
  • T1562.001
  • T1204.002
  • T1102
  • T1055
  • T1140
  • T1027
  • T1566

Additional Informations

  • Transportation
  • Finance
  • Manufacturing
  • Poland
  • Germany