Skip to main content

Command Palette

Search for a command to run...

PureCrypter Malware Dropping New TorNet Backdoor

Published
8 min readView as Markdown
PureCrypter Malware Dropping New TorNet Backdoor
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

Cyble Research and Intelligence Labs (CRIL) came across an article in which security researchers identified an ongoing malicious campaign, active since at least July 2024, operated by a financially motivated threat actor. The campaign primarily targets users in Poland and Germany, as indicated by the language used in phishing emails. The threat actor has deployed various payloads, including Agent Tesla, Snake Keylogger, and a newly identified, undocumented backdoor named TorNet, delivered via PureCrypter malware.

The intrusion begins with a phishing email as the initial infection vector. The threat actor impersonates financial institutions, manufacturing, and logistics companies by distributing fake money transfer confirmations and fraudulent order receipts. The phishing emails are primarily written in Polish and German, suggesting a targeted focus on users in these countries. However, some samples from the same campaign have also been observed in English. Based on the themes of the phishing emails and the filenames of the attachments, there is medium confidence that the actor is financially motivated.

The phishing emails contain attachments with the “.tgz” file extension, indicating the use of GZIP compression to obscure the TAR archive of the malicious file. This tactic is likely employed to conceal the true nature of the attachment and evade email security detections.

Technical Detail

When a user opens the compressed email attachment, manually extracts its contents, and executes the .NET loader, the loader ultimately downloads an encrypted PureCrypter malware sample from a compromised staging server. It then decrypts and executes PureCrypter malware directly into system memory.

In some instances, within this campaign, the PureCrypter malware has been observed deploying and executing the TorNet backdoor. The TorNet backdoor establishes a connection to the C&C server and integrates the infected machine into the TOR network. It can retrieve and execute arbitrary .NET assemblies in memory, downloaded from the C&C server, thereby expanding the attack surface for further malicious activities.

The compressed attachment files contain a large .NET executable, which is designed to either download the next-stage malicious executables from a remote staging server or reflectively load an embedded malicious binary.

Some of the analyzed loader samples in this campaign retrieve an AES-encrypted PureCrypter malware binary from compromised websites using hardcoded URLs. These binaries are hosted in directory paths such as “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/.” To evade detection, the encrypted PureCrypter files are stored with arbitrary filenames and various file extensions, including .pdf, .dat, .wav, .vdf, .mp3, and .mp4. The loader decrypts the PureCrypter binary and executes it via reflective loading.

In some loader samples, the encrypted PureCrypter malware was embedded within the loader itself. It is decrypted using the AES algorithm and then executed via reflective loading directly in the victim machine’s memory.

The PureCrypter malware identified in this intrusion is a Windows dynamic-link library (DLL) obfuscated using Eziriz’s .NET Reactor obfuscator. It contains encrypted binary resources of legitimate DLLs, including Protobuf-net and Microsoft Task Scheduler DLL, along with the TorNet backdoor.

Upon execution, PureCrypter first creates a mutex on the victim machine, releases the currently assigned DHCP IP address, establishes persistence, performs various anti-analysis and detection tasks, drops and executes the payload, and then renews the IP address.

Cmd /c ipconfig /release

Cmd /c ipconfig /renew

This technique is likely used to evade detection by cloud-based anti-malware solutions. It temporarily disconnects the victim machine from the network and reconnects after deploying and executing the backdoor.

Anti-Analysis and Evasion Techniques

PureCrypter employs multiple anti-debugging, anti-analysis, anti-virtualization, and anti-malware techniques, including:

  1. Debugger Detection: Uses the CheckRemoteDebuggerPresent function to determine if the process is being debugged.

  2. Sandbox Detection: Enumerates running processes to check for the presence of “sbieDLL.dll” (Sandboxie) and “cuckoomon.dll” (Cuckoo sandbox).

  3. Virtual Machine Detection: Executes WMI queries to search for strings like “VMware,” “VIRTUAL,” “AMI,” and “Xen” in the system BIOS and computer configuration.

Select * from Win32_BIOS

Select * from Win32_ComputerSystem

It also checks for the presence of “vmGuestLib.dll” to detect VMware environments.

  1. User Account Check: Verifies if the victim’s username matches “john,” “anna,” or “xxxxxxxx.”

  2. Anti-Malware Detection: Scans running process modules for “amsi.dll” and “amsiscanbuffer” to identify Windows Antimalware Scan Interface (AMSI) presence.

  3. Event Tracing for Windows (ETW) Detection: Attempts to locate the “EtwEventWrite” function in “ntdll.dll” to determine if ETW logging is enabled.

  4. Windows Defender Evasion: Modifies Windows Defender settings by executing PowerShell commands to exclude its process and the dropped backdoor from security scans:

Add-MpPreference –ExclusionPath

Add-MpPreference –ExclusionProcess

Payload Deployment and Persistence

After bypassing security measures, PureCrypter decrypts the embedded backdoor from its resources and drops it in the user’s application temporary folder with a randomized filename. Another file resource is also decrypted using a custom string decryption algorithm to generate arbitrary filenames and task names for Windows Task Scheduler.

To maintain persistence, PureCrypter:

  1. Adds the loader’s path to the Run registry key.

  2. Creates a scheduled Windows task using a decrypted task name from its resource file, executing the loader every two to four minutes with no execution time limit.

  3. Configures the scheduled task to run even if the machine switches to battery power and prevents it from stopping when battery power is low.

These persistence techniques are likely implemented to ensure uninterrupted execution, preventing the operating system from deprioritizing the malware process when the machine is running on low battery power.

PureCrypter places a Visual Basic script in the Windows startup folder, designed to load and execute the dropped backdoor upon system startup.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme formatted as file[://]<Path of the dropped backdoor>. It then injects the backdoor into the .NET runtime executable process on the victim machine. This technique is likely employed to disguise file access activity as a web request in system logs and to evade detection mechanisms that monitor the execution of files from suspicious paths.

A new .NET backdoor, identified as TorNet, has been observed as the payload in recent intrusions of this campaign. TorNet is obfuscated using Eziriz’s .NET Reactor obfuscator and includes hash values in place of a compilation timestamp. This artifact suggests that the samples were compiled in Visual Studio with the “/deterministic” parameter enabled. When Visual Studio is configured for deterministic builds, the compiled date/time field is replaced with a hash of the compilation options.

Upon execution, TorNet decodes a base64-encoded string to extract the C&C domain, port number, and a 16-character alphanumeric string (5e7a81857a353068). It then performs anti- debugging, anti-malware, anti-virtualization, and sandbox evasion checks similar to those used by PureCrypter.

After completing its evasion checks, TorNet establishes a TCP socket connection to the C&C server by resolving the IP address of the C&C domain extracted from the base64-decoded string. The connection is made using one of the ports 8194, 7890, or 8410. During the research period, the C&C domains associated with the backdoor were observed resolving to the IP address 104[.]168[.]7[.]37.

After establishing a connection to the C&C server, TorNet decodes the base64-encoded strings and sends the obtained string “5e7a81857a353068” to the C&C server. It then creates a hexadecimal byte stream of length 20 and compresses it using the GzipStream function before writing it to a memory stream.

HEX stream:

3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38

ASCII equivalent:

:<2-byte place holder>\n5e7a81857a353068

TorNet then generates an MD5 hash of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream with the Triple DES algorithm. Using the BitConverter function, TorNet splits the encrypted byte stream and transmits it to the C&C server by writing it to the TCP stream through the socket.

The C&C server may respond to TorNet’s request by sending an arbitrary encrypted .NET assembly. TorNet will then decrypt the binary and execute it via reflective loading. While no response from the C&C server was observed during analysis, examination of the TorNet binary suggests that the received payload would be an arbitrary .NET assembly, expanding the attack surface for further malicious activities.

TorNet also integrates the victim machine into the TOR network. It achieves this by downloading the TOR expert bundle from the TOR Project archive, extracting its contents, and executing “tor[.]exe” as a background process to establish a connection to the TOR network.

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127[.]0[.]0[.]1:9050). It utilizes the socket.Poll function to route all traffic from the backdoor process on the victim machine through the TOR network. This technique allows the threat actor to anonymize C&C communication and evade detection.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  1. The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

  2. When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.

  3. Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

  4. Restrict the execution of WerFaultSecure.exe to its designated location to prevent unauthorized execution from other directories.

  5. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

  6. Monitor the beacon on the network level to block data exfiltration by malware or TAs.

Conclusion

This phishing campaign demonstrates the increasingly sophisticated tactics used by financially motivated threat actors. By impersonating financial institutions, manufacturing, and logistics companies, the attackers deceive victims into opening malicious attachments disguised as legitimate documents. The use of compressed .tgz files helps bypass email security measures, leading to the deployment of PureCrypter. This malware loader delivers various payloads, including Agent Tesla, Snake Keylogger, and the newly identified TorNet backdoor. Through AES encryption, reflective loading, and obfuscation techniques, the attackers effectively evade detection while maintaining persistence on compromised systems.

TorNet exhibits advanced capabilities, including anti-debugging, anti-virtualization, and anti- analysis checks, along with the ability to establish persistence through Windows Task Scheduler and registry modifications. By leveraging the TOR network, the malware anonymizes C&C communications, making tracking and detection more challenging. This campaign highlights the importance of robust email security, endpoint protection, and network monitoring to detect unusual activity, such as TOR connections. Strengthening security awareness training and proactive threat intelligence sharing is essential in mitigating the risks posed by these evolving threats.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com