TorNet Backdoor Exploits Windows Scheduled Tasks to Deploy Malware

Cisco Talos researchers have identified an ongoing cyber campaign, active since mid-2024, deploying a previously undocumented backdoor known as “TorNet.”

This operation, believed to be orchestrated by a financially motivated threat actor, predominantly targets users in Poland and Germany through phishing emails.

The emails, disguised as financial or logistics communications, aim to deceive recipients into executing malicious attachments, initiating the infection.

The attackers employ PureCrypter malware as a delivery mechanism, leveraging compressed email attachments to bypass detection.

Once executed, PureCrypter decrypts and loads the TorNet backdoor directly into the memory, bypassing traditional file-based detection systems.

The infection chain includes additional payloads, such as Agent Tesla and Snake Keylogger, exposing victims to extensive compromise.

The attackers disconnect the victim’s machine from the network during payload deployment, minimizing the chance of detection by cloud-based antimalware solutions.

The TorNet backdoor further enhances stealth by establishing connections to command-and-control (C2) servers via the TOR network, anonymizing communications and complicating traceability.

PureCrypter modifies system settings, creates scheduled tasks, and even accounts for power constraints, ensuring the infection persists on systems operating on low battery.

The malware uses obfuscation techniques, such as Eziriz’s .NET Reactor, to hinder reverse engineering.

Anti-debugging, anti-virtualization, and other anti-analysis features are also integrated, preventing malware detection in sandbox environments.

Expanded Attack Surface Through TorNet Backdoor

The TorNet backdoor stands out for its capability to load arbitrary .NET assemblies sent by the C2 server, significantly increasing risks of further exploitation.

The malware encodes communication using encryption protocols, adding layers of obfuscation to its activities.

During examination, researchers observed connections to IP addresses via specific ports, indicating active C2 communication.

However, the backdoor also introduces a new dimension of stealth by routing all network traffic through the TOR architecture, further anonymizing its interactions.

The presence of TorNet represents a major escalation in malicious capabilities, as it empowers attackers to inject new payloads dynamically, potentially facilitating data exfiltration, ransomware deployment, or other malicious activities.

Defensive Measures

Organizations are urged to adopt layered defense mechanisms to counter this evolving threat.

Tools like Cisco Secure Endpoint, Cisco Secure Email, and Umbrella are effective in detecting and mitigating such campaigns.

Additionally, advanced scanning and behavioral monitoring solutions can prevent initial infiltration through malicious email attachments.

Key indicators of compromise (IOCs) related to this campaign, including IP addresses, domains, and hashes, have been made available in the Cisco Talos GitHub repository.

As attackers continue to refine their techniques, proactive measures such as multi-factor authentication (e.g., Cisco Duo) and strict network monitoring are critical to minimizing exposure to this threat.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free