Full Report
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.
Analysis Summary
# Threat Actor: Financially Motivated Threat Actor (Associated with TorNet Backdoor)
## Attribution & Identity
The actor is identified solely by their financially motivated objectives and recent campaign activity discovered since July 2024. No specific threat group name or nation-state attribution is provided.
## Activity Summary
The actor is running an ongoing malicious campaign primarily targeting users in Poland and Germany, indicated by the language of the phishing emails (predominantly Polish and German, with some English samples). The campaign begins with phishing emails impersonating financial institutions (fake money transfer confirmations) and manufacturing/logistics companies (fake order receipts). The attack chain involves an initial compressed attachment (`.tgz`), followed by a .NET loader which downloads or deploys the malware payload. The primary discovered payload chain utilizes **PureCrypter** to deploy a new, undocumented backdoor named **TorNet**.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing via email with compressed attachments (`.tgz`).
- **Execution:** Manual unzipping and execution of a .NET loader executable or reflective loading of an embedded binary.
- **Defense Evasion (Network Disconnection):** Dropping and running the payload *after* temporarily releasing the victim's DHCP lease (`ipconfig /release`) and reconnecting afterwards to bypass cloud-based anti-malware solutions.
- **Defense Evasion (In-Memory Execution):** PureCrypter loads malware (including TorNet) reflectively into system memory.
- **Defense Evasion (Anti-Analysis):** Extensive checks within PureCrypter, including debugger detection (`CheckRemoteDebuggerPresent`), sandbox detection (checking for `sbieDLL.dll`, `cuckoomon.dll`), and VM detection (WMI queries searching for "VMware", "VIRTUAL", "AMI", "Xen", and checking for "vmGuestLib.dll").
- **Persistence:** Establishing persistence via a Windows scheduled task, even on endpoints with low battery.
- **Command and Control (C2):** TorNet utilizes the TOR network for stealthy C2 communications and detection evasion.
- **Payload Delivery:** Use of Obfuscated DLLs (PureCrypter obfuscated with Eziriz’s .NET Reactor).
- **Lateral Movement/Further Intrusion:** The TorNet backdoor can receive and execute arbitrary .NET assemblies in memory from the C2 server.
- **MITRE ATT&CK IDs (Implied/Associated):** T1059.001 (PowerShell/Command Shell Execution), T1547.001 (Registry Run Keys) or T1053.005 (Scheduled Task/Job).
## Targeting
- **Sectors:** Financial Institutions, Manufacturing, and Logistics (based on email lures).
- **Geography:** Primarily Poland and Germany.
- **Victims:** Unspecified organizations in the targeted sectors within the primary geographic regions.
## Tools & Infrastructure
- **Malware Families Used:** Agent Tesla, Snake Keylogger (also delivered sometimes), PureCrypter (downloader/loader), TorNet (new backdoor).
- **Infrastructure:** Compromised staging servers hosting AES-encrypted PureCrypter binaries with arbitrary filenames and extensions (.pdf, .dat, .wav, .vdf, .mp3, .mp4) under paths `/filescontentgalleries/pictorialcoversoffiles/` and `/post-postlogin/`.
- **C2:** TOR Network.
## Implications
This actor demonstrates a sophisticated combination of financially-driven malware deployment (Agent Tesla/Snake Keylogger) with novel evasion techniques (network manipulation via IP release/renew) centered around a new, highly evasive backdoor, TorNet, which leverages the anonymity of the TOR network for C2. The use of both established and custom malware signatures an evolving and persistent financial threat.
## Mitigations
- Network monitoring for unusual IP address lease renewal/release sequences surrounding known execution periods.
- Enhanced monitoring for scheduled task creation, especially those configured to run on low-battery states.
- Deployment of email gateway solutions capable of deep inspection of compressed archives (`.tgz`).
- Utilize security solutions capable of detecting reflective DLL loading and in-memory execution to catch PureCrypter and TorNet payloads.
- Implement network controls to minimize or challenge connections to the TOR network, especially from internal endpoints.
- Utilize Snort Rules (SIDs: 64440, 64439, 64437, 64438, 301115) and ClamAV signatures.