Full Report
A financially motivated threat actor has been linked to an ongoing phishing email campaign that has been ongoing since at least July 2024 specifically targeting users in Poland and Germany. The attacks have led to the deployment of various payloads, such as Agent Tesla, Snake Keylogger, and a previously undocumented backdoor dubbed TorNet that's delivered by means of PureCrypter. TorNet is so
Analysis Summary
# Tool/Technique: PureCrypter
## Overview
PureCrypter is a malware loader observed in ongoing phishing campaigns, primarily used to deploy secondary payloads, including the Agent Tesla stealer, Snake Keylogger, and a newly documented backdoor named TorNet, targeting users in Poland and Germany.
## Technical Details
- Type: Malware (Loader)
- Platform: Windows
- Capabilities: In-memory execution, anti-analysis checks, delivering and executing subsequent malware (Agent Tesla, TorNet, Snake Keylogger).
- First Seen: The context mentions campaigns ongoing since July 2024, and PureCrypter itself has been previously documented (e.g., in October 2024 reports).
## MITRE ATT&CK Mapping
(Note: Specific TTPs are inferred based on the described functionality of a downloader/crypter executing in memory after a phishing attachment.)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by "Crypter" functionality)
- T1055 - Process Injection (Implied by in-memory download/execution)
## Functionality
### Core Capabilities
- Receives and executes a .NET loader via a downloaded `.tgz` file attachment in a phishing email.
- Downloads and executes the main payload (e.g., TorNet) directly into memory to evade traditional file-based detection.
- Establishes persistence using a Windows scheduled task.
### Advanced Features
- Performs sophisticated anti-analysis checks, including anti-debugger, anti-VM, and anti-malware evaluations before deployment.
- Implements a transient network manipulation technique: disconnecting the victim machine from the network before dropping the payload and reconnecting afterward, aimed at evading cloud-based antimalware solutions.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: `.tgz` archive attachment (initial vector)
- Registry Keys: [Not specified in the text, but persistence is achieved via Windows scheduled task]
- Network Indicators: C2 communication for TorNet utilizes the TOR anonymity network. [Specific C2 IPs/Domains are not provided in the summary context.]
- Behavioral Indicators: Execution of a .NET loader, running a downloaded external archive content, creation of a Windows scheduled task, temporary network disconnection during payload delivery.
## Associated Threat Actors
- Financially motivated threat actor group (unspecified name in the context).
## Detection Methods
- Signature-based detection: [Not specified, but file hashes/signatures of payloads would apply once known.]
- Behavioral detection: Monitoring for unusual network disconnection/reconnection sequences timed around process execution, execution of .NET code originating from archives, and the creation of persistence via scheduled tasks.
- YARA rules: [Not specified]
## Mitigation Strategies
- Prevention measures: Implementing strict email filtering to block `.tgz` attachments or attachments leading to script execution. Enabling robust Endpoint Detection and Response (EDR) solutions capable of monitoring in-memory code injection.
- Hardening recommendations: Disabling execution of Office macros or scripts from untrusted sources if applicable to the initial loading stages. Regularly auditing scheduled tasks for unauthorized persistence mechanisms.
## Related Tools/Techniques
- Agent Tesla (Information Stealer)
- Snake Keylogger (Information Stealer)
- TorNet (New Backdoor payload deployed by PureCrypter)