New Tornet Backdoor Seen in Widespread Campaign

    Wednesday, January 29, 2025 In: Threat Research Print

    Date: 01/29/2025

    Severity: Medium

    Summary

    A financially motivated threat actor has been running a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The actor uses phishing emails to deliver various payloads, including Agent Tesla, Snake Keylogger, and a new, undocumented backdoor called TorNet, which is dropped by PureCrypter malware. The actor achieves persistence by setting a Windows scheduled task on victim machines, even on those with low battery. To evade detection, the actor disconnects the victim machine from the network before dropping the payload and then reconnects it. TorNet enables stealthy command and control communications via the TOR network, helping to avoid detection by cloud antimalware solutions.

    Indicators of Compromise (IOC) List

    URL/Domain

    italzformendinggallores.duckdns.org 

    humblecrazeforeal8897.accesscam.org 

    sertiscoppersail432.freeddns.org 

    moristaetdfertal9002.ddnsgeek.com 

    paradoncalleke5689.camdvr.org 

    blissfulzerooooos690.ddnsfree.com 

    www.blissfulzerooooos690.ddnsfree.com 

    greeslieforreallcul5672.casacam.net

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zerwfilj.pdf

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Awtvbihi.vdf

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sfrnotlay.mp3

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sjydgbr.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Guwasd.dat 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fwudzwsfsp.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dyvfi.dat 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Iicivjzqdma.mp3 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dewsmwflw.vdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Xlkythleoq.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jovjvwp.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Vmoeykn.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Wyvmy.wav 

    http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Gikwomjv.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qecvodcnuz.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Hlynogyqp.dat 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Uvkoiguq.dat 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Oqjhea.mp3 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ztpcwfowiiu.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bonhowau.mp4 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qcqvzdtpln.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jlhwfgnnyms.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Otmaq.mp4 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rxmjavdc.mp3 

    http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Cfyenm.mp4 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bibyep.mp4 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lcrakntjck.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Atcbgl.mp4 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rspfqdltykq.mp3 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fxsovxc.pdf 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bnvqyotgu.mp3 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rmtafnw.mp3 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lmshcchh.wav 

    https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ibesc.wav 

    https://cud-senegal.org/post-postlogin/Oojhwcym.wav 

    https://cud-senegal.org/post-postlogin/Cpoewtupeck.mp4 

    https://cud-senegal.org/post-postlogin/Nrileknnlgv.vdf 

    https://cud-senegal.org/post-postlogin/Izevzxvwkpf.pdf

    Hash

    4a5b8442dc2b34a270acdcd8a14cce573d59dc0922c9e49cda8fe2dd8e4a3862

edac6216665f1c8b0a09158abdd5e7fab63a386a1c9ad31ddd5ee92a6aa811fc

e9ab4772ba6de2db9add3d4bbd3ce0f2dd899f16399b57fd2a539769e6ee973a

75d2d368d735fca2bad0155510cb4a927f7f246ea72299395990027264056521

c32d97fb9a1681a7bea3f417abde0264a2332221e317c8543e337baac9307c67

3b4e709768d7cd0cb895de74267f45a6ef6565ebed445393878f17ae02a983e3

53e7b3b72695a1eaea7146ec3cbd05d0ce2a1eba87f035ae07849feb4f59ec63

84570dac910557d0d8217db746c9a8fd4a27cd3db89135731c7f3584b37df533

57543fd3673c9595a73c836b153faf68e23938662c5a4b6675205734b688ae95

898d0451bd52c466d2284091be928f8ec1ced2184b205d903a04a747e67763ea

9d33726fc1d39fdc0426c70ed0cfb515e15f50d39c46d8ff38025b4faf8811dc

075737b17ba72aed5f45d227bf91dd5744914308e1468717a8f3100a0cca8156

a85423a1a37f604e492ee58920178080f0da306750a356ddfe1b695c12becd07

bff0ec65af8b2bb37fcc5202f823b5877ebdcc8efbd32e08f309cbcb4dc2570c

252d9ed583bbd2e5d75ae5167feb393bd50b44933594f9586aaf5d9987cf78ec

13ac538c8c6696a59f890677cf451db77b7c33539da1d380640ce549b2b70ca4

7ce9af599857827317a444c5a63a08929ec97765bc2624076f4834f323a41da2

2f1cb29e47c5b07fba3070d6a5339b00d2f3075eb7717438cf5cf53679793919

2f9c2e0bef460a7623954d65f10e6e5993c01d25e6f2905a5dc911639ca2ea75

dc513e35a6d96933e7af2b300782a32131d31445a6d1e2bbca9604128c92e7c6

6774a822d9c66951be95341d50c1f876a9373fefef52f68f29eaae4efc621817

80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0

4280eb4cfa0445a40d8e1dfafdc0eb24613f3536c5959270ef0079034b30e653

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zerwfilj.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zerwfilj.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Awtvbihi.vdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Awtvbihi.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sfrnotlay.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sfrnotlay.mp3" or userdomainname like "greeslieforreallcul5672.casacam.net" or url like "greeslieforreallcul5672.casacam.net" or userdomainname like "italzformendinggallores.duckdns.org" or url like "italzformendinggallores.duckdns.org" or userdomainname like "humblecrazeforeal8897.accesscam.org" or url like "humblecrazeforeal8897.accesscam.org" or userdomainname like "sertiscoppersail432.freeddns.org" or url like "sertiscoppersail432.freeddns.org" or userdomainname like "moristaetdfertal9002.ddnsgeek.com" or url like "moristaetdfertal9002.ddnsgeek.com" or userdomainname like "paradoncalleke5689.camdvr.org" or url like "paradoncalleke5689.camdvr.org" or userdomainname like "blissfulzerooooos690.ddnsfree.com" or url like "blissfulzerooooos690.ddnsfree.com" or userdomainname like "www.blissfulzerooooos690.ddnsfree.com" or url like "www.blissfulzerooooos690.ddnsfree.com" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sjydgbr.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Sjydgbr.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Guwasd.dat" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Guwasd.dat" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fwudzwsfsp.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fwudzwsfsp.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dyvfi.dat" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dyvfi.dat" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Iicivjzqdma.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Iicivjzqdma.mp3" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dewsmwflw.vdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Dewsmwflw.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Xlkythleoq.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Xlkythleoq.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jovjvwp.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jovjvwp.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Vmoeykn.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Vmoeykn.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Wyvmy.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Wyvmy.wav" or userdomainname like "http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf" or url like "http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Gikwomjv.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Gikwomjv.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Zafvlztxj.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qecvodcnuz.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qecvodcnuz.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Hlynogyqp.dat" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Hlynogyqp.dat" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Uvkoiguq.dat" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Uvkoiguq.dat" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Oqjhea.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Oqjhea.mp3" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ztpcwfowiiu.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ztpcwfowiiu.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bonhowau.mp4" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bonhowau.mp4" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qcqvzdtpln.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Qcqvzdtpln.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jlhwfgnnyms.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Jlhwfgnnyms.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Otmaq.mp4" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Otmaq.mp4" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rxmjavdc.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rxmjavdc.mp3" or userdomainname like "http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf" or url like "http://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Elxrh.vdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Cfyenm.mp4" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Cfyenm.mp4" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bibyep.mp4" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bibyep.mp4" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lcrakntjck.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lcrakntjck.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Atcbgl.mp4" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Atcbgl.mp4" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rspfqdltykq.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rspfqdltykq.mp3" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fxsovxc.pdf" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Fxsovxc.pdf" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bnvqyotgu.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Bnvqyotgu.mp3" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rmtafnw.mp3" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Rmtafnw.mp3" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lmshcchh.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Lmshcchh.wav" or userdomainname like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ibesc.wav" or url like "https://sanel.net.pl/filescontentgalleries/pictorialcoversoffiles/Ibesc.wav" or userdomainname like "https://cud-senegal.org/post-postlogin/Oojhwcym.wav" or url like "https://cud-senegal.org/post-postlogin/Oojhwcym.wav" or userdomainname like "https://cud-senegal.org/post-postlogin/Cpoewtupeck.mp4" or url like "https://cud-senegal.org/post-postlogin/Cpoewtupeck.mp4" or userdomainname like "https://cud-senegal.org/post-postlogin/Nrileknnlgv.vdf" or url like "https://cud-senegal.org/post-postlogin/Nrileknnlgv.vdf" or userdomainname like "https://cud-senegal.org/post-postlogin/Izevzxvwkpf.pdf" or url like "https://cud-senegal.org/post-postlogin/Izevzxvwkpf.pdf"

    Detection Query 2

    sha256hash IN ("4a5b8442dc2b34a270acdcd8a14cce573d59dc0922c9e49cda8fe2dd8e4a3862","edac6216665f1c8b0a09158abdd5e7fab63a386a1c9ad31ddd5ee92a6aa811fc","e9ab4772ba6de2db9add3d4bbd3ce0f2dd899f16399b57fd2a539769e6ee973a","75d2d368d735fca2bad0155510cb4a927f7f246ea72299395990027264056521","c32d97fb9a1681a7bea3f417abde0264a2332221e317c8543e337baac9307c67","3b4e709768d7cd0cb895de74267f45a6ef6565ebed445393878f17ae02a983e3","53e7b3b72695a1eaea7146ec3cbd05d0ce2a1eba87f035ae07849feb4f59ec63","84570dac910557d0d8217db746c9a8fd4a27cd3db89135731c7f3584b37df533","57543fd3673c9595a73c836b153faf68e23938662c5a4b6675205734b688ae95","898d0451bd52c466d2284091be928f8ec1ced2184b205d903a04a747e67763ea","9d33726fc1d39fdc0426c70ed0cfb515e15f50d39c46d8ff38025b4faf8811dc","075737b17ba72aed5f45d227bf91dd5744914308e1468717a8f3100a0cca8156","a85423a1a37f604e492ee58920178080f0da306750a356ddfe1b695c12becd07","bff0ec65af8b2bb37fcc5202f823b5877ebdcc8efbd32e08f309cbcb4dc2570c","252d9ed583bbd2e5d75ae5167feb393bd50b44933594f9586aaf5d9987cf78ec","13ac538c8c6696a59f890677cf451db77b7c33539da1d380640ce549b2b70ca4","7ce9af599857827317a444c5a63a08929ec97765bc2624076f4834f323a41da2","2f1cb29e47c5b07fba3070d6a5339b00d2f3075eb7717438cf5cf53679793919","2f9c2e0bef460a7623954d65f10e6e5993c01d25e6f2905a5dc911639ca2ea75","dc513e35a6d96933e7af2b300782a32131d31445a6d1e2bbca9604128c92e7c6","6774a822d9c66951be95341d50c1f876a9373fefef52f68f29eaae4efc621817","80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0","4280eb4cfa0445a40d8e1dfafdc0eb24613f3536c5959270ef0079034b30e653")

    Reference: 

    https://blog.talosintelligence.com/new-tornet-backdoor-campaign/


    Tags

    MalwareBackdoorPolandGermanyKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.