FOCUS MODE
EXTRACT IOC
Threat Research

New TorNet backdoor seen in widespread campaign

Talos
New TorNet backdoor seen in widespread campaign
Cisco Talos has identified a financially motivated cyber campaign targeting users in Poland and Germany, utilizing phishing emails to deliver various malware payloads, including Agent Tesla, Snake Keylogger, and a new backdoor named TorNet. The campaign employs sophisticated evasion techniques to avoid detection. Affected: Cisco Secure Endpoint, Cisco Secure Web Appliance, Cisco Secure Email, Cisco Secure Firewall, Cisco Secure Malware Analytics, Umbrella, Cisco Duo

Keypoints :

  • Ongoing malicious campaign discovered by Cisco Talos targeting users in Poland and Germany.
  • Phishing emails impersonate financial institutions and logistics companies.
  • Malware delivered includes Agent Tesla, Snake Keylogger, and a new backdoor called TorNet.
  • The actor employs a Windows scheduled task for persistence, even on low battery.
  • Phishing emails contain compressed attachments using the โ€œ.tgzโ€ extension.
  • PureCrypter malware is used to drop and run the TorNet backdoor.
  • TorNet connects to the TOR network for stealthy command and control communications.
  • Malware performs extensive anti-analysis and evasion checks.
  • Cisco security products are recommended for protection against this threat.

MITRE Techniques :

  • Phishing (T1566): The initial infection vector is phishing emails impersonating legitimate organizations.
  • Command and Control (T1071): TorNet establishes a TCP connection to the C2 server.
  • Persistence (T1547): The malware creates a Windows scheduled task to maintain persistence.
  • Obfuscated Files or Information (T1027): The malware uses obfuscation techniques to hide its true purpose.
  • Process Injection (T1055): The backdoor injects itself into the .NET runtime executable process.
  • Network Traffic Obfuscation (T1071): The use of the TOR network for anonymizing C2 communications.

Indicator of Compromise :

  • [domain] 104[.]168[.]7[.]37
  • [url] /filescontentgalleries/pictorialcoversoffiles/
  • [url] /post-postlogin/
  • [file name] .tgz
  • [tool name] TorNet
  • Check the article for all found IoCs.

Full Research: https://blog.talosintelligence.com/new-tornet-backdoor-campaign/

Tags: BACKDOOR, EMAIL, TROJAN, EXFILTRATION, TOOL, PAYLOAD, PERSISTENCE, FIREWALL