Phishing, Email security, Malware, Threat Intelligence

Phishing campaign in Poland and Germany deploys TorNet backdoor

Impersonation attacks

A financially motivated phishing campaign has been targeting users in Poland and Germany since at least July 2024, using PureCrypter to deliver malware including Agent Tesla, Snake Keylogger, and a newly identified backdoor called TorNet, according to The Hacker News.

According to a report by Cisco Talos, the attackers use phishing emails disguised as financial transactions or order confirmations, often impersonating banks and logistics companies. The emails contain attachments with the .tgz extension that, when opened, trigger a .NET loader to download and execute PureCrypter malware in memory. PureCrypter then launches the TorNet backdoor after performing multiple anti-detection checks. TorNet allows the attacker to connect infected devices with their command-and-control server as well as with the TOR network. "The actor is running a Windows scheduled task on victim machines -- including on endpoints with a low battery -- to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions," according to the analysis.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds