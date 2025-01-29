Phishing, Email security, Malware, Threat Intelligence

Phishing campaign in Poland and Germany deploys TorNet backdoor

A financially motivated phishing campaign has been targeting users in Poland and Germany since at least July 2024, using PureCrypter to deliver malware including Agent Tesla, Snake Keylogger, and a newly identified backdoor called TorNet, according to The Hacker News.

According to a report by Cisco Talos, the attackers use phishing emails disguised as financial transactions or order confirmations, often impersonating banks and logistics companies. The emails contain attachments with the .tgz extension that, when opened, trigger a .NET loader to download and execute PureCrypter malware in memory. PureCrypter then launches the TorNet backdoor after performing multiple anti-detection checks. TorNet allows the attacker to connect infected devices with their command-and-control server as well as with the TOR network. "The actor is running a Windows scheduled task on victim machines -- including on endpoints with a low battery -- to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions," according to the analysis.

Related

Microsoft unveils scareware blocker for Edge

The new security tool is integrated into the company's Edge browser and uses machine learning and computer vision to identify fraudulent full-screen pop-ups that trick users into installing malware or purchasing unnecessary software.

Hidden text salting in scam emails ramps up

Hidden text salting has not only been used to evade spam filters' keyword detection capabilities as shown in separate phishing attacks impersonating Wells Fargo and Norton LifeLock but also to dupe the language detection module of Microsoft and circumvent security filters.

