Source URL: https://blog.talosintelligence.com/new-tornet-backdoor-campaign/
Source: Cisco Talos Blog
Title: New TorNet backdoor seen in widespread campaign
Feedly Summary: Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.
AI Summary and Description: Yes
**Summary:** The text describes a sophisticated ongoing cyber campaign discovered by Cisco Talos, orchestrated by a financially motivated threat actor targeting users in Poland and Germany. Using phishing emails with cleverly disguised malicious attachments, the campaign employs various malware strains, including a new backdoor called TorNet. Key tactics include establishing persistence via Windows Task Scheduler and utilizing the TOR network for command and control, enhancing stealth and evasion techniques against security measures.
**Detailed Description:**
The report provides a comprehensive analysis of a cyber threat campaign characterized by the following significant points:
– **Phishing as Initial Infection Vector:**
– The campaign primarily begins with phishing emails impersonating financial institutions and companies in the logistics sector.
– Emails are crafted in Polish and German, with some in English, indicating the targeted demographic.
– **Malware Payloads:**
– Attackers deploy various payloads, including Agent Tesla and Snake Keylogger, alongside the recently identified “TorNet” backdoor.
– Malware is delivered through compressed TAR archives to disguise its true nature, making detection more difficult.
– **Persistence and Evasion Techniques:**
– The threat actor employs a Windows scheduled task to ensure the malware maintains persistence across system reboots.
– A unique maneuver disconnects the victim’s machine from the network during the malware installation to evade detection from cloud-based security.
– The malware establishes connections to the TOR network for stealthy command and control communications.
– **Behavioral Analysis of Malware:**
– PureCrypter, a malware component, checks for various sandbox and anti-debugging environments to thwart analysis.
– The malware uses anti-detection tactics such as creating mutexes, modifying Windows Defender settings, and establishing backdoor connections.
– **TorNet Backdoor:**
– The new TorNet backdoor connects the victim’s machine to the TOR network, utilizing multiple anti-evasion checks similar to PureCrypter.
– It allows the attacker to send arbitrary commands and receive malicious payloads undetected, significantly widening the potential attack surface.
– **Countermeasures:**
– Several Cisco security products are highlighted that can mitigate such threats, including Cisco Secure Endpoint, Secure Email, Firewall, and various detection tools, emphasizing the importance of layered security solutions.
– **Indicators of Compromise (IOCs):**
– The report lists specific IOCs related to the threat, providing actionable intelligence for security teams to monitor and detect potential attacks.
– **Risk Assessment:**
– The attack demonstrates the ongoing threat posed by financially motivated actors leveraging advanced malware tactics and social engineering, underscoring the need for continuous monitoring, employee training on phishing, and robust security protocols.
This document serves as a vital resource for professionals in cybersecurity, particularly those focusing on phishing, malware response, threat intelligence, and incident response strategies in corporate environments.