A financially motivated threat actor has been conducting an ongoing phishing campaign targeting users in Poland and Germany since at least July 2024. The campaign has led to the deployment of several payloads, including Agent Tesla, Snake Keylogger, and a newly discovered backdoor named TorNet. Delivered through the PureCrypter malware, TorNet facilitates communication with victim machines over the TOR network, which helps the attacker maintain anonymity. The threat actor uses various techniques to evade detection, such as disconnecting the victim machine from the network before deploying the payload and then reconnecting it afterward.
The phishing emails used in the campaign often impersonate financial institutions or manufacturing companies, with fake money transfer confirmations or order receipts. These emails contain compressed file attachments (.tgz) that are likely designed to bypass detection. Once extracted, the files execute a .NET loader that subsequently runs the PureCrypter malware in memory.
This malware then deploys the TorNet backdoor after performing a series of checks to evade analysis, including anti-debugging and anti-malware techniques.
Once deployed, the TorNet backdoor establishes a connection to the command-and-control (C2) server and connects the victim machine to the TOR network. This allows the attacker to remotely execute arbitrary .NET assemblies on the compromised system, significantly expanding the potential attack surface. This ability to remotely execute code increases the risk of further intrusions or exploitation. Additionally, the attacker maintains persistence on the victim’s machine using a Windows scheduled task, which is executed even when the device is running on a low battery.
A notable technique observed in these attacks is hidden text salting, which is used to evade email detection engines. By including visually unrecognizable characters in the email’s HTML code, the attacker can bypass spam filters and other email parsers. To counter these types of attacks, experts recommend improving email filtering techniques to detect hidden text salting and using visual similarity detection methods to better identify concealed content. Additionally, developing advanced filtering systems that identify altered CSS properties could further enhance detection capabilities against such evasion tactics.