A financially motivated menace actor has been linked to an ongoing phishing e-mail marketing campaign that has been ongoing since no less than July 2024 particularly focusing on customers in Poland and Germany.
The assaults have led to the deployment of varied payloads, reminiscent of Agent Tesla, Snake Keylogger, and a beforehand undocumented backdoor dubbed TorNet that is delivered by the use of PureCrypter. TorNet is so named owing to the truth that it permits the menace actor to speak with the sufferer machine over the TOR anonymity community.
“The actor is operating a Home windows scheduled activity on sufferer machines—together with on endpoints with a low battery—to attain persistence,” Cisco Talos researcher Chetan Raghuprasad stated in an evaluation revealed as we speak.
“The actor additionally disconnects the sufferer machine from the community earlier than dropping the payload after which connects it again to the community, permitting them to evade detection by cloud antimalware options.”
The place to begin of the assaults is a phishing e-mail bearing pretend cash switch confirmations or order receipts, with the menace actor masquerading as monetary establishments and manufacturing and logistics firms. Hooked up to those messages are information with the extension “.tgz” in a possible try to evade detection.
Opening the compressed e-mail attachment and extracting the archive contents results in the execution of a .NET loader that, in flip, downloads and runs PureCrypter immediately in reminiscence.
The PureCrypter malware then proceeds to launch the TorNet backdoor, however not earlier than performing a sequence of anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the sufferer machine to fly beneath the radar.
“The TorNet backdoor establishes connection to the C2 server and likewise connects the sufferer machine to the TOR community,” Raghuprasad famous. “It has the capabilities to obtain and run arbitrary .NET assemblies within the sufferer machine’s reminiscence, downloaded from the C2 server, rising the assault floor for additional intrusions.”
The disclosure comes days after the menace intelligence agency stated it noticed a surge in e-mail threats leveraging hidden textual content salting within the second half of 2024 with an intent to sidestep model title extraction by e-mail parsers and detection engines.
“Hidden textual content salting is a straightforward but efficient method for bypassing e-mail parsers, complicated spam filters, and evading detection engines that depend on key phrases,” safety researcher Omid Mirzaei stated. “The concept is to incorporate some characters into the HTML supply of an e-mail that aren’t visually recognizable.”
To counter such assaults, it is really useful to develop superior filtering strategies that may detect hidden textual content salting and content material concealment, together with detecting use of CSS properties like “visibility” and “show,” and undertake visible similarity detection strategy (e.g., Pisco) to boost detection capabilities.
