Since July 2024, a phishing campaign targeting users in Poland and Germany has been actively carried out by a financially motivated group. The attackers utilize malware such as Agent Tesla, Snake Keylogger, and the recently discovered Tornet Backdoor, which is distributed using the Purecrypter bootloader.
Tornet, named for its ability to connect infected devices to the TOR anonymization network, provides attackers with a hidden communication channel. According to analysts at Cisco Talos, criminals use the Windows planner to ensure continuous malicious software operation, even on devices with low battery charge. To evade antivirus systems, attackers momentarily disconnect infected machines from the network before initiating the harmful code, and then restore the connection.
The primary method of attack continues to be phishing emails containing fake confirmations of money transfers or orders. Criminals masquerade as employees of financial institutions, manufacturing companies, and logistics firms. The attachments in these emails have a “.tgz” extension, which aids in bypassing detection systems.
Upon opening the archive, the .NET bootloader is activated, triggering PureCryPter directly in the RAM. This malicious tool checks the device for the presence of antiviruses, debuggers, and virtual machines, only activating Tornet thereafter. The backdoor establishes a connection with the control server, executes commands, and has the capability to load additional modules into the infected device’s memory, significantly increasing the potential for future attacks.
Researchers at Cisco Talos emphasize that the new malicious program poses a serious threat due to its combination of powerful tools for persistence, anonymization, and expansion of attack capabilities. Strengthening cybersecurity measures comprehensively is vital to safeguard against such multi-level threats.