TorNet Malware Distribution Campaign via Phishing Emails

Nguyễn Văn TrungNguyễn Văn Trung
3 min read

Recently, FPT Threat Intelligence discovered a dangerous cyber attack campaign targeting users mainly in developed and developing countries. This campaign uses phishing emails to spread malware, including a new backdoor named TorNet.

Overview

Attack Campaign: Starting with Phishing Emails

The campaign begins by sending phishing emails that pretend to be from financial institutions or manufacturing and logistics companies. These emails often contain fake information like payment confirmations or order receipts. Notably, these emails are mainly written in Polish and German, indicating that the attackers are targeting users in these two countries.

How It Works:

  1. The phishing email includes an attachment with a .tgz extension. This file is compressed using GZIP to hide the malicious content.

  2. When the user opens the attachment and extracts it, a .NET loader executable is activated.

  3. This loader downloads the PureCrypter malware from a compromised server, decrypts it, and runs it in the system memory.

PureCrypter Malware and TorNet Backdoor

PureCrypter is a dangerous type of malware used to deploy various payloads, including TorNet—a new backdoor not previously recorded.

How PureCrypter Works:

  • It creates a mutex (a synchronization mechanism) on the victim's computer.

  • Temporarily disconnects the network to avoid detection by cloud-based anti-malware software.

  • Performs complex checks to evade detection, including:

    • Checking for virtual machine (VM) environments like VMware and VirtualBox.

    • Detecting malware analysis tools such as Sandboxie and Cuckoo.

    • Disabling Windows Defender by adding malware processes and paths to the exclusion list.

After passing these checks, PureCrypter decrypts and deploys the TorNet backdoor onto the victim's computer.

Backdoor TorNet: Dangerous and Stealthy

TorNet is a new .NET backdoor, obfuscated using the .NET Reactor tool. It can connect the victim's computer to the TOR network, allowing attackers to remain anonymous and avoid detection.

How TorNet Works:

  1. Connects to a command and control (C2) server through the TOR network.

  2. Receives and executes commands from the C2 server, including downloading and running other malicious .NET files.

  3. Uses complex encryption techniques to communicate with the C2 server, making detection more difficult.

Recommendations

Here are some recommended measures you can take to protect against this attack campaign:

  1. Be cautious with unfamiliar emails:

    • Do not open attachments from unknown email sources, especially compressed files (.zip, .tgz).

    • Carefully check the sender's email address and email content for signs of phishing.

  2. Regularly update software:

    • Ensure the operating system and security software are always updated to the latest versions.

  3. Use reliable anti-malware software:

    • Install and maintain anti-malware solutions from reputable providers.

  4. Monitor unusual network connections:

    • If you detect your computer automatically connecting to strange IP addresses or using the TOR network, disconnect and scan for malware immediately.

  5. Increase awareness of information security:

    • Train employees and users on common phishing techniques and how to avoid them.

Conclusion

The attack campaign using TorNet and PureCrypter malware is a serious reminder of the importance of staying vigilant against cybersecurity threats. By following basic security measures and increasing awareness, you can minimize risks and protect your personal information and critical data.

IOCs

3b4e709768d7cd0cb895de74267f45a6ef6565ebed445393878f17ae02a983e3 9d33726fc1d39fdc0426c70ed0cfb515e15f50d39c46d8ff38025b4faf8811dc 75d2d368d735fca2bad0155510cb4a927f7f246ea72299395990027264056521 84570dac910557d0d8217db746c9a8fd4a27cd3db89135731c7f3584b37df533 7ce9af599857827317a444c5a63a08929ec97765bc2624076f4834f323a41da2 e9ab4772ba6de2db9add3d4bbd3ce0f2dd899f16399b57fd2a539769e6ee973a 2f9c2e0bef460a7623954d65f10e6e5993c01d25e6f2905a5dc911639ca2ea75 dc513e35a6d96933e7af2b300782a32131d31445a6d1e2bbca9604128c92e7c6 57543fd3673c9595a73c836b153faf68e23938662c5a4b6675205734b688ae95 898d0451bd52c466d2284091be928f8ec1ced2184b205d903a04a747e67763ea 53e7b3b72695a1eaea7146ec3cbd05d0ce2a1eba87f035ae07849feb4f59ec63 bff0ec65af8b2bb37fcc5202f823b5877ebdcc8efbd32e08f309cbcb4dc2570c 6774a822d9c66951be95341d50c1f876a9373fefef52f68f29eaae4efc621817 c32d97fb9a1681a7bea3f417abde0264a2332221e317c8543e337baac9307c67 075737b17ba72aed5f45d227bf91dd5744914308e1468717a8f3100a0cca8156 a85423a1a37f604e492ee58920178080f0da306750a356ddfe1b695c12becd07 4a5b8442dc2b34a270acdcd8a14cce573d59dc0922c9e49cda8fe2dd8e4a3862 80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0 4280eb4cfa0445a40d8e1dfafdc0eb24613f3536c5959270ef0079034b30e653 2f1cb29e47c5b07fba3070d6a5339b00d2f3075eb7717438cf5cf53679793919 252d9ed583bbd2e5d75ae5167feb393bd50b44933594f9586aaf5d9987cf78ec edac6216665f1c8b0a09158abdd5e7fab63a386a1c9ad31ddd5ee92a6aa811fc 13ac538c8c6696a59f890677cf451db77b7c33539da1d380640ce549b2b70ca4
italzformendinggallores[.]duckdns[.]org humblecrazeforeal8897[.]accesscam[.]org sertiscoppersail432[.]freeddns[.]org moristaetdfertal9002[.]ddnsgeek[.]com paradoncalleke5689[.]camdvr[.]org greeslieforreallcul5672[.]casacam[.]net blissfulzerooooos690[.]ddnsfree[.]com www[.]blissfulzerooooos690[.]ddnsfree[.]com hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Sjydgbr[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Guwasd[.]dat hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Fwudzwsfsp[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Dyvfi[.]dat hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Iicivjzqdma[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Dewsmwflw[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Xlkythleoq[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zerwfilj[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Sfrnotlay[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Jovjvwp[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Vmoeykn[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Wyvmy[.]wav hxxp[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Gikwomjv[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Qecvodcnuz[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Hlynogyqp[.]dat hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Uvkoiguq[.]dat hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Awtvbihi[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Oqjhea[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Ztpcwfowiiu[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bonhowau[.]mp4 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Qcqvzdtpln[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Jlhwfgnnyms[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Otmaq[.]mp4 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Elxrh[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rxmjavdc[.]mp3 hxxp[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Elxrh[.]vdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Cfyenm[.]mp4 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bibyep[.]mp4 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Lcrakntjck[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Atcbgl[.]mp4 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rspfqdltykq[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Fxsovxc[.]pdf hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Bnvqyotgu[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Rmtafnw[.]mp3 hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Lmshcchh[.]wav hxxps[://]sanel[.]net[.]pl/filescontentgalleries/pictorialcoversoffiles/Ibesc[.]wav hxxps[://]cud-senegal[.]org/post-postlogin/Oojhwcym[.]wav hxxps[://]cud-senegal[.]org/post-postlogin/Cpoewtupeck[.]mp4 hxxps[://]cud-senegal[.]org/post-postlogin/Nrileknnlgv[.]vdf hxxps[://]cud-senegal[.]org/post-postlogin/Izevzxvwkpf[.]pdf

References

  1. TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads <https://socprime.com/blog/tornet-backdoor-detection/\>\

  2. New TorNet backdoor seen in widespread campaign <https://blog.talosintelligence.com/new-tornet-backdoor-campaign/\>

0
Subscribe to my newsletter

Read articles from Nguyễn Văn Trung directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#tornetthreat intelligenceBackdoor

Written by

Nguyễn Văn Trung
Nguyễn Văn Trung