A financially motivated threat actor has been linked to a sophisticated cyber campaign that has been targeting users in Poland and Germany since July 2024. 

The effort uses phishing emails to spread a range of malware payloads, including Agent Tesla, Snake Keylogger, and an undocumented backdoor called TorNet. 

This backdoor leverages Windows Scheduled Tasks for persistence and employs advanced evasion techniques to bypass detection.

Cisco Talos researchers report that the attack begins with phishing emails masquerading as financial institutions or logistics companies. These emails, written predominantly in Polish and German, contain malicious attachments compressed in .tgz format. 

When victims extract and execute the attached files, a .NET loader downloads and decrypts the PureCrypter malware from compromised servers. PureCrypter then delivers the final payload, often the TorNet backdoor.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

The Attack Flow

PureCrypter is a .NET-based malware loader designed for stealth. It uses AES encryption to obfuscate its payloads, which are either downloaded from hardcoded URLs or embedded within the loader itself. 

The malware decrypts these payloads in memory to avoid detection by antivirus solutions.

Anti-analysis techniques: It checks for debugging tools, sandbox environments (e.g., sbieDLL.dll), virtual machines (e.g., VMware), and anti-malware processes (amsi.dll).

Network disconnection: Before dropping its payload, PureCrypter releases the victim’s DHCP IP address, disconnecting from the network to evade cloud-based anti-malware solutions. It reconnects after executing the payload.

Windows Scheduled Tasks for Persistence: The malware creates tasks that execute every two to four minutes, even when running on low battery power.

TorNet Backdoor Functionality

The TorNet backdoor is a .NET-based malware obfuscated with Eziriz’s .NET Reactor. It connects infected machines to the TOR network for stealthy command-and-control (C2) communications.

C2 Communication: It decodes base64-encoded strings to retrieve C2 domains and port numbers. After resolving the domain’s IP address, it establishes a TCP socket connection.

TorNet backdoor sample connecting to the C2 using the domain and port number

Dynamic Payload Execution: TorNet can download encrypted .NET assemblies from the C2 server, decrypt them using Triple DES encryption, and execute them reflectively in memory.

TOR Integration: The backdoor downloads the TOR Expert Bundle and runs tor.exe as a background process. All traffic is routed through TOR’s SocksPort (127.0.0.1:9050), anonymizing communications and evading network monitoring tools.

The attackers exploit Windows Task Scheduler to maintain persistence:

• Tasks are created using schtasks.exe, configured to run at regular intervals without execution time limits.
• Even on low battery power, tasks continue running uninterrupted, ensuring persistent infection.
• A Visual Basic script is dropped into the startup folder to load the backdoor upon system boot.

The threat actor employs several methods to evade detection:

• Network Isolation: Disconnecting from the network during payload execution prevents real-time monitoring by cloud-based security tools.
• Registry Manipulation: Decrypting task names and paths ensures that malicious tasks blend into legitimate system operations.
• Memory-only Execution: Reflective loading of payloads avoids writing files to disk, reducing forensic artifacts.

Recommendations

The use of Windows Scheduled Tasks combined with TOR connectivity highlights an evolving trend in malware persistence and evasion tactics. Organizations are advised to:

• Monitor scheduled tasks for irregularities using centralized logging tools like Microsoft-Windows-TaskScheduler/Operational logs.
• Inspect registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache for hidden tasks.
• Implement robust email filtering solutions to detect phishing attempts.
• Regularly update endpoint protection systems to identify obfuscated loaders like PureCrypter.

As cybercriminals continue innovating their techniques, proactive monitoring and layered defenses remain critical in mitigating such threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar