Dr Martin J. Krämer, Security Awareness Advocate at KnowBe4
Researchers at Cisco Talos are warning of a new phishing campaign targeting users in Germany and Poland to distribute various types of malware, including a new backdoor called ‘TorNet’. The phishing emails pretend to be fake transfer confirmations from financial institutions or fake order confirmations from manufacturing and logistics companies.
‘The phishing emails are mainly written in Polish and German, suggesting that the perpetrators are mainly targeting users in these countries,’ the researchers write. ’We have also found some examples of phishing emails from the same campaign written in English. Based on the subject line of the phishing emails and the filenames of the email attachments, we have a medium confidence that the threat actor is financially motivated. The phishing email contains attachments with the extension ‘.tgz’, which indicates that the perpetrator used GZIP to compress the TAR archive of the malicious attachment file in order to hide the actual malicious content of the attachment and circumvent detection of the email.
The new malware variant, dubbed ‘TorNet’, is installed by the PureCrypter loader after a user opens the attachment.
‘When a user opens the compressed email attachment, manually unzips it, and launches a.NET executable loader, they eventually download encrypted PureCrypter malware from a compromised staging server,’ the researchers write.
‘The loader decrypts the PureCrypter malware and executes it in system memory. In some intrusions we observed as part of this campaign, we found the PureCrypter malware dropping and executing the TorNet backdoor. The TorNet backdoor connects to the C2 server and connects the victim machine to the TOR network. It is able to receive and execute arbitrary.NET assemblies in the memory of the victim computer that have been downloaded from the C2 server, thereby increasing the attack surface for further intrusions.’
Up-to-date security awareness training and sensible human risk management can help protect your organisation against phishing and other social engineering attacks.
