A financially motivated menace actor has been linked to an ongoing phishing electronic mail marketing campaign that has been ongoing since a minimum of July 2024 particularly focusing on customers in Poland and Germany.
The assaults have led to the deployment of varied payloads, similar to Agent Tesla, Snake Keylogger, and a beforehand undocumented backdoor dubbed TorNet that is delivered via PureCrypter. TorNet is so named owing to the truth that it permits the menace actor to speak with the sufferer machine over the TOR anonymity community.
“The actor is operating a Home windows scheduled activity on sufferer machines—together with on endpoints with a low battery—to attain persistence,” Cisco Talos researcher Chetan Raghuprasad mentioned in an evaluation revealed right now.
“The actor additionally disconnects the sufferer machine from the community earlier than dropping the payload after which connects it again to the community, permitting them to evade detection by cloud antimalware options.”
The place to begin of the assaults is a phishing electronic mail bearing faux cash switch confirmations or order receipts, with the menace actor masquerading as monetary establishments and manufacturing and logistics firms. Hooked up to those messages are recordsdata with the extension “.tgz” in a possible try to evade detection.
Opening the compressed electronic mail attachment and extracting the archive contents results in the execution of a .NET loader that, in flip, downloads and runs PureCrypter immediately in reminiscence.
The PureCrypter malware then proceeds to launch the TorNet backdoor, however not earlier than performing a collection of anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the sufferer machine to fly beneath the radar.
“The TorNet backdoor establishes connection to the C2 server and in addition connects the sufferer machine to the TOR community,” Raghuprasad famous. “It has the capabilities to obtain and run arbitrary .NET assemblies within the sufferer machine’s reminiscence, downloaded from the C2 server, growing the assault floor for additional intrusions.”
The disclosure comes days after the menace intelligence agency mentioned it noticed a surge in electronic mail threats leveraging hidden textual content salting within the second half of 2024 with an intent to sidestep model identify extraction by electronic mail parsers and detection engines.
“Hidden textual content salting is an easy but efficient method for bypassing electronic mail parsers, complicated spam filters, and evading detection engines that depend on key phrases,” safety researcher Omid Mirzaei mentioned. “The concept is to incorporate some characters into the HTML supply of an electronic mail that aren’t visually recognizable.”
To counter such assaults, it is beneficial to develop superior filtering methods that may detect hidden textual content salting and content material concealment, together with detecting use of CSS properties like “visibility” and “show,” and undertake visible similarity detection method (e.g., Pisco) to boost detection capabilities.