Cisco Talos researchers have identified a new cybercriminal campaign active since July 2024 in Poland and Germany. The attackers disguise themselves as trusted institutions and companies operating in the financial, manufacturing, and logistics sectors. They use phishing emails designed to look like legitimate order confirmations or financial transfer notifications. However, these seemingly harmless emails contain malicious attachments that infect recipients’ devices.
According to Cisco Talos’ analysis, the attackers are primarily motivated by financial gain. The sophistication of the attacks suggests that they were meticulously planned, with indications that the campaign’s reach may extend beyond the initially targeted regions. This is further supported by observed cases involving emails written in English.
Attack Vectors and Campaign Execution
The attack begins with the distribution of phishing emails that appear credible due to their polished design and content. These emails are written in Polish and German, highlighting the campaign’s geographical focus. The attachments in these emails are “.tgz” files, compressed TAR archives that conceal malicious software. The use of GZIP compression aims to bypass email security systems.
When a recipient opens the attachment, a .NET executable file is launched, functioning as a “loader.” This small program connects to a server controlled by the attackers, from which it downloads the actual malicious software – in this case, PureCrypter. PureCrypter operates solely in the victim’s device memory, making it significantly harder to detect using traditional antivirus tools.
PureCrypter plays a critical role in the attack by initiating the next stage of malicious code: an advanced backdoor dubbed “TorNet” by Cisco Talos. TorNet allows cybercriminals to gain complete control over the infected device, enabling them to transfer, execute, and modify files. Additionally, TorNet integrates with the anonymous TOR network, complicating detection and tracing of the attackers’ activities.
Technical Aspects of the Attack
The malicious software PureCrypter is designed to operate stealthily. Once launched on a victim’s computer, it employs various techniques to avoid detection and analysis. For instance, it conducts checks to detect sandbox environments or malware analysis tools. If such mechanisms are identified, PureCrypter may alter its behavior or terminate entirely to evade detection.
After bypassing these checks, PureCrypter executes malicious code that loads into the victim’s device memory. This code then installs the TorNet backdoor, providing extensive capabilities for further exploitation. TorNet’s built-in features enable dynamic execution of additional malicious code and real-time control over the infected system.
To ensure the persistence of the infection, PureCrypter modifies key system settings, such as the Windows registry, and creates scheduled tasks that regularly relaunch the malicious loader. The attackers even employed a technique to trigger scheduled tasks in Windows, regardless of the victim’s device battery level, ensuring uninterrupted operation.
Conclusions and Recommendations
The attack discovered by Cisco Talos is a testament to the growing sophistication of cybercriminal operations. This campaign underscores the importance of exercising caution with email communications, especially those involving financial matters. It is crucial to avoid opening suspicious attachments and to always verify the sender’s identity. Such precautions can help mitigate the serious consequences of an attack like this.
Cisco Talos urges increased vigilance to minimize the impact of this campaign and prevent future attacks. Regular system updates and the use of advanced security tools can significantly enhance cybersecurity measures.
Source: Manager Plus
