Jan 28, 2025Ravie LakshmananPhishing Attack / Network Security
A risk actor with a financial bent has been linked to a phishing email strategy that has targeted users in Poland and Germany since at least July 2024.
The problems have led to the implementation of several loads, such as , , and a previously undocumented secret dubbed TorNet that’s delivered by means of . Due to the fact that TorNet uses the Router privacy network to connect with the victim machine, it is given that name.
The artist is performing a Windows scheduled task on target machines, including on endpoints with small battery, to maintain persistence, according to Cisco Talos scientist Chetan Raghuprasad, in an study released today.
The artist also disconnects the target equipment from the network before dropping the payload, allowing them to avoid detection by cloud-based antimalware solutions, before connecting the victim machine back to the network.
A phishing email with fake money transfer approvals or get records from the danger professional acting as financial organizations and manufacturing and logistics companies is the attack’s starting place. In an effort to escape recognition, these messages were likely intercepted as files with the improvement” .tgz.”
A.NET load executes the pressed internet connection, downloading and running PureCrypter straight from memory, and extracting the archive contents.
The PureCrypter malware then proceeds to build the TorNet secret, but not before performing a series of anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the target machine to fly under the radar.
According to Raghuprasad,” The TorNet secret connects the target device to the TOR network and establishes a connection to the C2 server.” ” It has the abilities to collect and run arbitrary .NET meetings in the target computer’s memory, downloaded from the C2 site, increasing the attack area for further intrusions”.
The risk intelligence company made the disclosure days after it reported that it had seen a rise in email threats using hidden text drying in the second quarter of 2024 with the intention to avoid company name extraction by email parsers and detection engines.
Security researcher Omid Mirzaei described hidden text salting as a straightforward but efficient method for avoiding keyword-based detection engines, confusing spam filters, and email parsers. The purpose of the HTML source of an email is to include some characters that are not visible artistically.
To counter such attacks, it’s recommended to develop advanced filtering techniques that can detect hidden text salting and content concealment, including detecting use of CSS properties like “visibility” and “display”, and adopt visual similarity detection approach ( e. g., ) to enhance detection capabilities.
Found this post exciting? To read more unique content we post, follow us on and Twitter.