News TorNet: How ordinary Privacy Tools suddenly turned into Cyber Weapons.

[Fixxx]

An invisible web of nodes has ensnared thousands of devices worldwide...​

Since July 2024, cybercriminals have been conducting an active phishing campaign targeting users in Poland and Germany. The attacks are organized by a financially motivated group that uses malware such as Agent Tesla, Snake Keylogger, and the recently discovered backdoor TorNet, which is distributed via the PureCrypter loader. TorNet got its name due to its ability to connect infected devices to the TOR network, providing the attackers with a hidden communication channel. According to analysts at Cisco Talos, the criminals use the Windows Task Scheduler to ensure the malware runs persistently, even on devices with low battery levels. To bypass antivirus systems, the attackers temporarily disconnect infected machines from the network before executing the malicious code and then restore the connection.

The primary attack method remains phishing emails with fake confirmations of money transfers or orders. The criminals impersonate employees of financial organizations, manufacturing, and logistics companies. Attachments in these emails have the ".tgz" extension, which helps evade detection systems. When the archive is opened, a .NET-based loader is executed, which activates PureCrypter directly in memory. This malicious tool checks the device for antivirus software, debuggers, and virtual machines, and only after that activates TorNet. The latter establishes a connection with the command server, transmits commands, and can load additional modules into the memory of the infected device, significantly increasing the potential for further attacks. Cisco Talos researchers note that this new malware poses a serious threat as it combines powerful stealth, anonymization tools, and capabilities for further attacks. Comprehensive cybersecurity enhancements are a necessary measure to protect against such multi-layered threats.