Home Cyber Attack New TorNet backdoor Abusing Windows Schedule Task to Deliver Malware

New TorNet backdoor Abusing Windows Schedule Task to Deliver Malware

0
TorNet backdoor

Cisco Talos researchers have identified a widespread cyberattack campaign employing a newly discovered backdoor, dubbed “TorNet.”

The financially motivated threat actor behind this operation has been active since mid-2024, with the campaign primarily targeting users in Germany and Poland.

TorNet backdoor
Sample phishing email in German. 

Key features of the attack include advanced evasion techniques and integration with the TOR network for stealthy communications.

Malicious Payload Deployment

The attack relies on phishing emails as the initial infection vector, impersonating financial institutions and manufacturing companies with themes such as fake money transfer confirmations and order receipts.

These emails are written in Polish, German, and occasionally English, suggesting a focus on German and Polish-speaking victims.

The malicious attachments in these emails, compressed using the GZIP format with “.tgz” extensions, disguise the harmful content to bypass detection systems.

Once the user opens the attachment and executes the payload, an encrypted malware loader written in .NET downloads and decrypts a second-stage payload, PureCrypter, from a compromised server.

PureCrypter acts as a dropper for additional malware, including the TorNet backdoor.

The loader also employs AES encryption to obscure the binaries, which are often disguised with benign file extensions such as .pdf or .mp3.

The attackers employ sophisticated techniques to avoid detection. PureCrypter disables network connections, executes the payload, and then reconnects the device to prevent antivirus solutions from detecting the attack.

The malware also performs anti-debugging, anti-virtualization, and anti-sandbox checks, ensuring it only operates in genuine environments.

TorNet backdoor
Flow diagram

To maintain persistence, PureCrypter leverages the Windows Task Scheduler and Run registry keys.

Notably, the malware schedules tasks that can run even if the infected device is on low battery power, ensuring uninterrupted operation.

It also modifies Windows Defender settings using PowerShell commands, adding itself to exclusion lists to prevent removal.

The Role of TorNet Backdoor

The TorNet malware, a previously undocumented .NET-based backdoor, represents the final stage of this campaign.

Obfuscated with Eziriz’s .NET Reactor, it establishes communication with a command-and-control (C2) server by decoding a base64 string to retrieve the C2 domain and port information.

For additional anonymity, TorNet integrates the TOR protocol by downloading and running “tor.exe,” routing all traffic through the TOR network.

TorNet also supports the delivery and execution of arbitrary .NET assemblies sent by the C2 server, significantly increasing the attack surface.

While Cisco researchers could not interact with the C2 server during their analysis, the malware’s design suggests its potential use for further malicious operations, including data exfiltration and additional payload deployment.

Cisco recommends using its Secure Endpoint, Email, and Web Appliance solutions to detect and block such threats.

Network-based defenses like Cisco Umbrella and Secure Firewall can also help identify malicious communications.

For more technical details, indicators of compromise (IOCs) related to this campaign are available on Cisco’s GitHub repository.

This campaign highlights the evolving threat posed by financially motivated attackers leveraging stealthy techniques and modular malware like TorNet.

Organizations are advised to strengthen email defenses, implement robust endpoint protection, and educate employees on phishing awareness.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here