Listen to this Post
2025-01-28
Phishing email campaigns have been a persistent threat for years, but a new wave of highly sophisticated attacks targeting users in Poland and Germany has emerged since mid-2024. Orchestrated by financially motivated threat actors, these attacks not only aim to steal sensitive data but also deploy advanced malware capable of causing long-term damage. In this article, we will explore the nature of these threats, the methods used by cybercriminals, and strategies to combat them.
The ongoing phishing campaign, believed to have started in July 2024, has led to the deployment of various malicious payloads including Agent Tesla, Snake Keylogger, and a newly discovered backdoor known as TorNet. The threat actors behind these attacks are sophisticated and are leveraging tools like PureCrypter to facilitate their malicious activities. One of the key techniques used by the attackers is to employ the TOR network to communicate with compromised machines, making it harder for cybersecurity systems to detect and trace the intrusions.
Phishing emails are the starting point of these attacks. They typically contain fake money transfer confirmations or order receipts, with the threat actor pretending to be financial institutions or logistics companies. The attached files, often in the “.tgz” format, are designed to bypass email security filters. Once opened, these attachments initiate a chain of events that ultimately leads to the execution of the PureCrypter malware, which is responsible for deploying the TorNet backdoor on the infected machine.
The TorNet backdoor gives attackers the ability to execute arbitrary code remotely, significantly increasing the threat surface of the compromised system. Furthermore, the attackers employ several evasion techniques to avoid detection by anti-malware solutions, including disconnecting the victim machine from the network before dropping the payload and reconnecting it afterward to bypass cloud-based security.
What Undercode Says:
This phishing campaign represents a worrying shift towards more advanced and evasive techniques. Financially motivated threat actors are increasingly relying on sophisticated tools to infiltrate targeted systems without being detected. The use of TorNet, combined with the PureCrypter malware, underscores the growing complexity of cyber threats in the financial sector.
The TorNet backdoor is particularly concerning because it allows attackers to maintain a persistent foothold on compromised machines. The connection through the TOR network not only makes it difficult for security researchers to track the source of the attacks but also enables the attackers to issue commands and deploy new malicious payloads remotely. The fact that these attacks can evade detection by cloud-based antimalware solutions makes it clear that traditional security measures are no longer sufficient to protect against these kinds of sophisticated threats.
One interesting aspect of this attack is the use of hidden text salting in the phishing emails. This technique, which involves embedding invisible characters within the email’s HTML code, allows the attackers to bypass email parsers and spam filters. By avoiding detection at the email level, the attackers are able to increase the likelihood that the victim will open the malicious attachment. This highlights the need for advanced email filtering systems that can detect such evasion techniques.
The deployment of multiple malware types, such as Agent Tesla and Snake Keylogger, adds another layer of complexity to the attack. These types of malware are designed to steal sensitive information like login credentials and financial data, potentially leading to identity theft or financial loss for the victims. When combined with the capabilities of TorNet, these tools give the threat actor a full range of options for compromising and controlling victim machines.
The fact that the attackers target both low-battery devices and use a Windows scheduled task to maintain persistence on infected machines demonstrates the level of detail involved in these attacks. By ensuring that the malware remains active even on devices that are not frequently used or that have limited power, the attackers are increasing their chances of success.
To mitigate the risk of such attacks, it is crucial for organizations to adopt a multi-layered security approach. This includes advanced phishing detection techniques, enhanced email filtering to catch hidden text salting, and improved endpoint protection that can identify and block evasive malware. Additionally, security teams should monitor for signs of unusual activity, such as unexpected connections to the TOR network, and quickly isolate compromised machines to limit the damage.
Given the increasing sophistication of phishing attacks and the tools being used by cybercriminals, it’s essential to stay ahead of the curve by continuously updating security measures and educating users about the dangers of phishing. As threat actors become more adept at evading detection, organizations must adapt and develop more advanced techniques to protect sensitive data and prevent breaches.
In conclusion, while phishing attacks continue to evolve in complexity, proactive measures such as enhanced email filtering, real-time malware detection, and vigilance against evasive techniques are essential in mitigating the risks posed by these threats.
References:
Reported By: Thehackernews.com
https://www.discord.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




