TorNet Backdoor
A financially driven threat actor has been orchestrating a phishing email campaign since at least July 2024, with a particular focus on users in Poland and Germany. This campaign has led to the deployment of multiple threats, including the Agent Tesla, the Snake Keylogger and a newly identified backdoor named TorNet.
TorNet derives its name from its ability to facilitate communication between the attacker and the compromised system via the TOR anonymity network. The campaign showcases advanced evasion techniques, allowing the attackers to operate stealthily while maintaining persistent access to infected machines.
Table of Contents
Clever Evasion Tactics Ensure Stealthy Intrusions
One of the key persistence mechanisms used by the threat actor involves scheduling Windows tasks on victim devices, including those running on low battery. Additionally, the attackers disconnect the compromised system from the network before deploying the payload, only reconnecting it afterward. This tactic helps bypass detection by cloud-based security solutions, reducing the likelihood of early threat identification.
Deceptive Phishing Emails Carry Threatening Payloads
The attack begins with carefully crafted phishing emails that pose as legitimate financial institutions or logistics and manufacturing companies. These emails often contain fake money transfer confirmations or fraudulent order receipts.
To further avoid detection, the attackers attach compressed files with the '.tgz' extension. This uncommon choice helps the files slip past security filters, increasing the chances that recipients will open them.
A Multi-Stage Execution Unleashes TorNet
Once the recipient extracts and opens the attached archive, a .NET loader is executed. This loader is responsible for fetching and running PureCrypter directly in memory, setting the stage for further compromise.
PureCrypter then launches the TorNet backdoor, but not before conducting multiple security checks. These include anti-debugging measures, virtual machine detection, and other techniques designed to evade analysis and anti-threat tools.
The TorNet Backdoor Expands the Attack Surface
After successfully deploying, the TorNet backdoor establishes a connection with its Command-and-Control (C2) server while also linking the infected device to the TOR network. This connection allows the threat actor to maintain communication with the compromised system while remaining anonymous.
TorNet is capable of receiving and executing arbitrary .NET assemblies directly in memory, significantly broadening the attack surface. By downloading and running additional unsafe payloads from the C2 server, the attackers can escalate their activities, leading to further system intrusions and potential data breaches.
TorNet Backdoor Video
Tip: Turn your sound ON and watch the video in Full Screen mode.
