Phishing Attacks Lead to New TorNet Backdoor

Researchers have discovered an ongoing phishing campaign that delivers a variety of different malware types, including a new, undocumented backdoor called TorNet.

The backdoor establishes a connection to the command-and-control (C2) server and connects the victim machine to the Tor network, allowing the threat actors behind the phishing attack to maintain stealthy C2 communications and skirt by detection measures.

Key Details:

• The new backdoor is part of a campaign that started as early as July 2024, and has targeted users mostly located in Poland and Germany. Researchers found phishing emails predominantly written in Polish and German, with some also written in English 

• The threat actor impersonates financial institutions, as well as manufacturing and logistics companies, and sends fake money transfer confirmations and fake order receipts to victim organizations 

• The TGZ attachments in the emails, once opened, eventually lead to the download of the PureCrypter malware, which runs the TorNet backdoor

• The campaign has also delivered different payloads, like the Agent Tesla remote access trojan and the Snake keylogger

Why It Matters: The new TorNet backdoor, and the campaign linked to it, is yet another example of how attackers across the threat landscape are continually upping their game with new malware, and constantly looking for ways to implement detection evasion techniques. 

The Details: Both the PureCrypter malware, and the TorNet backdoor that it runs, perform anti-debugging, anti-malware, anti-VM and sandbox evasion checks. When deploying the PureCrypter malware, the threat actors released the currently assigned DHCP IP address on the targeted machine before establishing persistence, performing anti-analysis and detections tasks, running the payload and renewing the IP address on the machine.

“The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor,” said Chetan Raghuprasad with Cisco Talos.

Meanwhile, TorNet’s ability to connect the victim machine to the Tor network (via downloading the Tor expert bundle from the Tor Project archive site) is another detection evasion mechanism.

“Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127[.]0[.]0[.]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network,” said Raghuprasad. “The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.”

The Big Picture: Researchers with Cisco Talos said they believe “with medium confidence” that the threat actor is financially motivated based on the phishing email themes and the filenames of the email attachments.