Full Report
Financially motivated hackers are behind an ongoing malicious campaign targeting Poland and Germany. These phishing attacks aim to deploy multiple payloads, including Agent Tesla, Snake Keylogger, and a novel backdoor dubbed TorNet, which is delivered via PureCrypter malware. Detect TorNet Backdoor A significant rise in phishing campaigns, with a 202% increase in phishing messages over […] The post TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: TorNet Backdoor
## Overview
The TorNet Backdoor is a malicious payload being distributed via phishing campaigns that utilize the PureCrypter malware loader. It is associated with financially motivated threat actors targeting users in Poland and Germany.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Currently not specified, but implied to be common desktop platforms targeted by phishing (e.g., Windows).
- Capabilities: Provides remote access/command execution capabilities to the adversary once successfully deployed.
- First Seen: Active since at least mid-summer 2024.
## MITRE ATT&CK Mapping
*Note: Specific mappings for the TorNet Backdoor itself are not detailed in the summary, but its delivery mechanism via phishing and subsequent execution points to standard initial access and execution tactics.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- Installation and persistence to provide a covert channel.
- Execution of commands received from the threat actor.
### Advanced Features
- Delivery mechanism relies on initial compromise via the PureCrypter malware loader, suggesting potential obfuscation or anti-analysis characteristics inherited from the loader stage.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not specified in the context]
- Network Indicators: [The nature of a "Backdoor" implies C2 communication, but specific details were not provided in the summary.]
- Behavioral Indicators: [Implied behaviors include unusual outbound network connections associated with C2 activity.]
## Associated Threat Actors
- Financially motivated threat actors.
## Detection Methods
- Detection is being provided via curated content (Sigma rules) on platforms like SOC Prime.
- Signatures related to the PureCrypter loader or the resulting TorNet binary should be effective.
## Mitigation Strategies
- Training users to recognize and avoid phishing emails (addressing the primary infection vector).
- Implementing email filtering solutions to block malicious attachments or links.
- Employing Endpoint Detection and Response (EDR) capable of monitoring for fileless execution or post-exploitation activity often associated with backdoors.
## Related Tools/Techniques
- PureCrypter (Used as the initial loader for the TorNet distribution).