New Cyberattack Campaign Using TorNet Backdoor Targets Users in Germany and Poland

2025-01-28

A newly identified cyberattack campaign has raised alarm bells within the cybersecurity community. Researchers from Cisco Talos have uncovered a widespread operation exploiting a novel backdoor, dubbed “TorNet.” This attack, attributed to financially motivated threat actors, has been active since mid-2024 and primarily targets users in Germany and Poland. In this article, we’ll break down the attack’s structure, highlight its key features, and offer insights into the sophisticated techniques used by the attackers.

the Attack

Cisco Talos researchers have uncovered a new cyberattack campaign leveraging a previously undiscovered backdoor named TorNet. Active since mid-2024, the campaign has been targeting individuals in Germany and Poland. The attackers employ advanced evasion techniques and utilize the TOR network to ensure covert communication, making detection particularly difficult.

The attack begins with phishing emails impersonating trusted institutions like financial entities and manufacturing companies. These emails, typically written in Polish or German (with some in English), contain malicious attachments disguised as GZIP-compressed files with “.tgz” extensions. When opened, the payload deploys a malware loader written in .NET, which then downloads and decrypts PureCrypter, a second-stage malware.

PureCrypter acts as a dropper for additional malicious payloads, including the TorNet backdoor. The malware incorporates various anti-detection techniques, such as disabling network connections to avoid antivirus scans and executing only in real environments to avoid virtual environments. Once installed, PureCrypter ensures persistence by utilizing the Windows Task Scheduler and modifies system settings to prevent removal, including disabling Windows Defender.

The TorNet backdoor, the final piece of this malware chain, communicates with a command-and-control (C2) server using the TOR network, enhancing the attackers’ anonymity. The backdoor can execute arbitrary .NET assemblies sent by the C2 server, broadening the attack surface and increasing the threat’s potential impact. Although researchers couldn’t interact with the C2 server, the design suggests the possibility of data exfiltration or deployment of additional malicious payloads.

What Undercode Say: Analyzing the Attack’s Implications

This attack represents a growing trend in cybercrime where financially motivated actors utilize highly sophisticated and stealthy tactics. The TorNet backdoor highlights the evolving complexity of modern malware. By combining anti-detection techniques, modular payloads, and the use of the TOR network for anonymity, this campaign demonstrates a significant leap in the ability of attackers to remain undetected for extended periods.

The use of phishing emails as the initial infection vector remains a common technique, yet this campaign enhances the traditional approach by incorporating advanced evasion measures. The GZIP-compressed attachments, which disguise the malicious content, show how attackers continuously refine their strategies to bypass detection by traditional security solutions.

One of the standout features of this attack is the use of PureCrypter, which not only serves as a malware dropper but also uses AES encryption to obfuscate its payloads. This makes it harder for security tools to identify and analyze the attack, even after it has been executed. The anti-debugging and anti-virtualization measures further complicate analysis, ensuring that the malware only operates in legitimate environments.

The persistence mechanisms employed by PureCrypter are particularly concerning. By using the Windows Task Scheduler and modifying system settings to disable antivirus software, attackers ensure that their malware remains active even if the victim attempts to disrupt or remove it. These features make the malware much harder to eradicate and increase the time attackers can remain in control of the infected devices.

The TorNet backdoor, with its reliance on the TOR network, represents a new level of sophistication. TOR not only enhances anonymity but also enables the malware to route communications through decentralized networks, making it much harder to trace back to the attackers. The ability of TorNet to download and execute arbitrary .NET assemblies adds another layer of flexibility for the attackers, allowing them to deploy additional malware or extract data without raising immediate alarms.

From an organizational perspective, this campaign underscores the need for robust endpoint protection, especially when dealing with sophisticated phishing attacks. Cisco’s Secure Endpoint, Email, and Web Appliance solutions are vital tools to detect and block such threats early. In addition, network-based defenses like Cisco Umbrella and Secure Firewall can help identify and block malicious communications, particularly those attempting to communicate via the TOR network.

The evolving nature of these cyberattacks suggests that organizations need to stay ahead of emerging threats by continuously enhancing their security posture. This includes educating employees on phishing awareness, implementing advanced email filters, and deploying endpoint protection solutions capable of detecting and responding to sophisticated malware techniques.

As attackers grow more creative and resilient in their tactics, organizations must remain vigilant and adapt their defenses accordingly. By incorporating proactive detection measures, maintaining strong user awareness, and utilizing network-based defenses, the impact of these sophisticated threats can be mitigated.