A financially motivated threat actor has been linked to an ongoing phishing campaign, active since at least July 2024, targeting users in Poland and Germany. The cyberattacks leverage malicious email attachments to deploy multiple payloads, including Agent Tesla, Snake Keylogger, and a newly identified backdoor named TorNet. This sophisticated malware is delivered via PureCrypter, a powerful malware loader.
TorNet: A Stealthy Backdoor Using TOR for C2 Communication
TorNet gets its name from its ability to establish communication over the TOR anonymity network, allowing attackers to maintain stealthy and persistent access to compromised systems.
According to Cisco Talos researcher Chetan Raghuprasad, "The actor is running a Windows scheduled task on victim machines—including on low-battery endpoints—to achieve persistence. They also disconnect the victim machine from the network before dropping the payload and reconnect it afterward, helping them evade cloud-based anti-malware detection."
Phishing Emails: The Initial Attack Vector
The attack chain begins with phishing emails disguised as fake money transfer confirmations or order receipts. These messages impersonate financial institutions, logistics companies, and manufacturing firms to trick recipients into opening malicious attachments.
The attachments, using the .tgz extension, are likely designed to bypass traditional email security filters. Once the recipient extracts the archive and executes the contents, a .NET-based loader downloads and runs PureCrypter directly in memory, avoiding disk-based detection mechanisms.
Evasion Techniques and Advanced Capabilities
Before executing the TorNet backdoor, PureCrypter performs a series of advanced evasion techniques, including:
✅ Anti-debugging – Preventing security researchers from analyzing the malware.
✅ Anti-analysis – Detecting if it's running in a sandbox environment.
✅ Anti-VM checks – Identifying and avoiding execution in virtualized environments.
✅ Anti-malware bypass – Disabling security tools to prevent detection.
Once executed, TorNet establishes a connection with the attacker's command-and-control (C2) server while simultaneously linking the compromised device to the TOR network. This allows attackers to:
Download and execute arbitrary .NET assemblies in memory.
Expand the attack surface for further exploitation.
Maintain persistent access while evading network monitoring tools.
Rising Threat of Email-Based Attacks
The disclosure comes amid a surge in email-based threats leveraging hidden text salting, a technique used to evade email security filters. This method involves adding invisible characters within an email’s HTML code to bypass spam filters and detection engines that rely on keyword recognition.
According to security researcher Omid Mirzaei, "Hidden text salting is a simple yet effective method for bypassing email parsers, confusing spam filters, and evading detection mechanisms. Attackers use CSS properties like visibility: hidden and display: none to insert undetectable text."
How to Defend Against These Attacks
To mitigate these threats, security professionals should:
Implement advanced email filtering techniques to detect hidden text salting and content concealment.
Monitor suspicious Windows scheduled tasks that may indicate malware persistence mechanisms.
Enhance network security by analyzing unusual disconnection and reconnection patterns.
Adopt visual similarity detection methods like Pisco to identify email-based threats.
Educate users on phishing tactics to reduce the risk of accidental malware execution.
Final Thoughts
The ongoing phishing campaign utilizing PureCrypter, Agent Tesla, and the TorNet backdoor highlights the evolving sophistication of financially motivated cybercriminals. Organizations must stay vigilant by deploying advanced threat detection solutions and enhancing email security measures to prevent these attacks from compromising sensitive systems.
🔗 Stay updated on the latest cybersecurity threats. Follow us for real-time security insights!
