Alert: New TorNet Backdoor and Agent Tesla Strike Europe in Sophisticated Phishing Campaign

Alert: New TorNet Backdoor and Agent Tesla Strike Europe in Sophisticated Phishing Campaign

Sophisticated Phishing Campaign Targets European Users with New TorNet Backdoor

A new phishing campaign targeting users in Poland and Germany has been discovered, operating since July 2024. The financially motivated threat actors are deploying multiple malware variants, including Agent Tesla, Snake Keylogger, and a newly identified backdoor called TorNet, distributed through PureCrypter.

The attacks begin with phishing emails disguised as financial transactions or order confirmations, supposedly from legitimate financial institutions and manufacturing companies. These emails contain .tgz attachments designed to evade security detection.

Key Features of the Attack:
– TorNet backdoor communicates through the TOR network for anonymity
– Uses Windows scheduled tasks for persistence
– Temporarily disconnects victims from networks during payload deployment
– Implements sophisticated anti-detection measures

The attack sequence involves:
1. Opening compressed email attachments
2. Executing a .NET loader
3. Downloading PureCrypter
4. Launching TorNet backdoor

The TorNet backdoor is particularly sophisticated, capable of running arbitrary .NET assemblies in memory and establishing connections to command-and-control servers through the TOR network.

Recent findings also indicate an increase in email threats using hidden text salting techniques to bypass security measures. To combat these attacks, experts recommend implementing advanced filtering techniques and visual similarity detection systems.

Share This Article