TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
Table of contents:
Financially motivated hackers are behind an ongoing malicious campaign targeting Poland and Germany. These phishing attacks aim to deploy multiple payloads, including Agent Tesla, Snake Keylogger, and a novel backdoor dubbed TorNet, which is delivered via PureCrypter malware.
Detect TorNet Backdoor
A significant rise in phishing campaigns, with a 202% increase in phishing messages over the second half of 2024, indicates that this attack vector continues to be a persistent threat. The emergence of a TorNet backdoor distributed via PureCrypter malware in an ongoing phishing campaign, which uses advanced detection evasion techniques, requires swift and proactive responses from defenders.
SOC Prime Platform offers curated detection content, including vendor-agnostic Sigma rules and automatically generated IOC queries, to proactively defend against TorNet backdoor intrusions. To access the detection stack, simply click Explore Detections below.
The detection content is aligned with MITRE ATT&CK® and enriched with actionable threat intelligence and relevant metadata, including false positives, audit configuration recommendations, binaries, and media references to help defenders streamline threat research. Additionally, security engineers can use Uncoder AI to instantly translate the detection code into the SIEM, EDR, or Data Lake language format in use, as well as accelerate IOC parsing and their conversion into custom hunting queries based on IOCs from the corresponding Cisco Talos report.
TorNet Backdoor Analysis
Cisco Talos has recently identified an ongoing malicious campaign that has been active since at least mid-summer 2024. The campaign is orchestrated by financially motivated threat actors, primarily targeting users in Poland and Germany, as indicated by the phishing email language. PureCrypter malware used in this campaign delivers multiple nefarious payloads, including Agent Tesla and Snake Keylogger, and drops TorNet, a newly uncovered backdoor. The name “TorNet” reflects its offensive capability to enable adversaries to communicate with the victim’s machine through the TOR network.
The infection chain begins with a phishing email serving as the initial attack vector. Adversaries send fraudulent money transfer confirmations and fake order receipts. Most phishing emails are written in Polish and German, suggesting a primary focus on users in those regions, though some samples in English have also been identified.
The phishing emails contain attachments with a “.tgz” file extension, indicating that the attacker has used GZIP to compress a TAR archive of the malicious file. This tactic helps obscure the true nature of the attachment and hinder anti-malware analysis.
By opening the email attachment, extracting it, and running the .NET loader, it downloads encrypted PureCrypter malware from a targeted server. The loader then decrypts and executes it in system memory. In some cases, PureCrypter deploys the TorNet backdoor, which connects to the C2 server and integrates the compromised machine into the TOR network. TorNet can fetch and execute arbitrary .NET assemblies in memory, expanding the attack surface for further infection. Notably, the compressed weaponized attachments contain a large .NET executable, designed to either download the next-stage malware from a remote staging server or directly execute an embedded malicious binary in memory.
PureCrypter malware drops the TorNet backdoor by first creating a mutex on the targeted machine, releasing the assigned DHCP IP address, and further establishing persistence. It then carries out anti-analysis techniques, deploys and executes the payload, and finally renews the vulnerable machine’s IP address.
PureCrypter conducts multiple detection evasion checks. For instance, the malware detects debugging via the “CheckRemoteDebuggerPresent” function, identifies sandbox environments by scanning for “sbieDLL.dll” and “cuckoomon.dll,” and checks for virtual environments using WMI queries, searching for strings like “VMware,” “VIRTUAL,” “AMI,” and “Xen.” In addition, PureCrypter is also capable of altering Windows Defender settings by running PowerShell commands to exclude its process and the dropped backdoor’s path from security scans.
After bypassing security checks, PureCrypter decrypts and drops the backdoor into the user’s temporary folder with a random filename. It also decrypts another resource to generate filenames and task names for the Windows Task Scheduler. To establish persistence, it adds the loader’s path to the Run registry key and creates a scheduled task, which remains active even on battery power. This ensures continuous execution and prevents the OS from deprioritizing it when the device has low battery power.
Finally, PureCrypter drops the TorNet backdoor to connect to a C2 server via the TOR network, ensuring stealthy communication. By anonymizing the connection, it makes detection more challenging for defenders. Once connected, TorNet sends identifying information and enables remote code execution by receiving arbitrary .NET assemblies from the C2 server, significantly broadening the attack surface.
The use of sophisticated detection evasion tactics and the ability to deploy multi-stage payloads throughout this ongoing phishing campaign underscores the importance of ongoing vigilance and network monitoring to counter evolving cyber threats. SOC Prime Platform for collective cyber defense equips defenders with a future-proof product suite for advanced threat detection, automated threat hunting, and intelligence-driven detection engineering to always stay ahead of adversaries and timely identify malicious intrusions.
