A new TorNet backdoor has been discovered being spread through an ongoing phishing campaign. This malicious campaign is targeting primarily users in Poland and Germany, utilizing phishing emails written in Polish and German. These emails impersonate financial institutions and manufacturing companies, containing malicious attachments in .tgz format. When opened, a .NET loader executes, downloading the PureCrypter malware, which is then used to deploy multiple payloads. These payloads include Agent Tesla, Snake Keylogger, and the new TorNet backdoor itself.
The TorNet backdoor is particularly concerning as it establishes a connection to a command and control server via the TOR network for stealthy communications, making detection more difficult. The malware is also being distributed through an ongoing campaign and exploits Windows Scheduled Tasks to achieve persistence, including on systems with low battery. These sophisticated techniques emphasize a need for heightened security awareness training and advanced threat detection tools.