CTI Roundup: New TorNet Backdoor, Lynx Ransomware, and Q4 Trends

This week, CTI examines an ongoing campaign by a financially motivated threat actor capable of connecting to the TOR network and evading detection. Next, CTI reviews a new ransomware-as-a-service (RaaS) group called Lynx, which is now running a sophisticated affiliate program. Finally, CTI recaps Cisco Talos’s latest report for the fourth quarter of 2024.

Ongoing campaign uses TorNet backdoor

Cisco Talos discovered a widespread campaign that has been operating since July 2024. The actor delivers a range of known payloads and a previously undocumented backdoor called TorNet to connect with the TOR network.

The actor uses phishing as the initial attack vector and runs scheduled tasks for persistence. In addition, the actor disconnects the device from the network before dropping and executing the malware and reconnecting it after the fact.

How does the phishing campaign work?

The attacks start with a phishing email that impersonates a financial institution or a manufacturing and logistics company. The email lures the recipient with fake money transfer confirmations and fake order receipts.

So far, most of the emails have been in Polish and German, suggesting that the threat actors may be targeting users in those countries. However, some phishing emails have also surfaced in English.

Attachments in the emails also have a .tgz file extension, meaning they are compressed using GZIP. The recipient must open the attachment in the email, unzip it, and run an included loader executable. This loader is responsible for downloading the PureCrypter malware that runs in system memory.

How does the phishing attack use PureCrypter malware?

Cisco Talos analyzed the compressed attachment files and found that they contain a large .NET executable file. This executable is configured to download additional executables or load an embedded binary. Some samples downloaded the PureCrypter malware binaries and stored them with arbitrary filenames and different file extensions. In some cases, PureCrypter was directly embedded in the loader.

This PureCrypter malware is a Windows dynamic-link library, obfuscated using Eziriz .NET Reactor. It aims to create a mutex on the infected device and execute a command to release the currently assigned DHCP IP address. It will establish persistence, perform anti-analysis and detection tasks, drop and execute the payload, and run a command to renew the IP address. This technique is less common but is likely used to evade detection.

What is the TorNet backdoor?

In some cases, Cisco Talos observed the PureCrypter malware dropping a previously unknown backdoor called TorNet. This backdoor establishes a connection to the C2 server and connects the infected device to the TOR network. It can also obtain and run .NET assemblies in the machine’s memory.

The malware will decode a string to obtain the port number, C2 domain, and a 16-character string (5e7a81857a353068). Similar to PureCrypter, it will also perform several checks for anti-debugging, anti-malware, anti-VM, and sandbox evasion.

Cisco Talos could not obtain a response from the C2 during its analysis. However, it determined that the response would be an arbitrary .NET assembly code, further scaling the attack surface. The backdoor connects the infected device to the TOR network by downloading the TOR expert bundle, unpacking it, and running it as a background process.

The Cisco Talos blog contains additional technical details regarding TorNet.

Analyst comments from Tanium’s Cyber Threat Intelligence team

One of the most interesting techniques used in this campaign is disconnecting the victim’s device from the network by releasing its IP address, performing malicious activities, and reconnecting it to the network. This can potentially enable the actor to evade detection — especially those limited to specific indicators.

This technique, coupled with TorNet’s ability to anonymize communication to the C2 server, reveals the extra steps the actor is taking to avoid detection.

Lynx ransomware group operates advanced affiliate program

Researchers at Group-IB recently shared details about the new Lynx ransomware-as-a-service (RaaS) group, which has a highly organized platform and sophisticated affiliate program.

Group-IB’s report provides great insights about Lynx, including details about the group’s affiliate panel, internal communications, and their tactics, techniques, and procedures (TTPs).

[Read also: CTI roundup: 2024 ransomware recap + top 5 affiliate ransomware programs]

What to know about the Lynx affiliate panel

Group-IB successfully infiltrated the group and gained access to its affiliate panel. This research uncovered that the panel has five sections:

1. The News section is the central hub for various updates and announcements and provides affiliates with information about new features.
2. The Companies section of the leak site functions as a platform for affiliates to manage their victims. In this section, affiliates can create victim profiles, generate unique ransomware samples, and establish a dedicated chat for each victim.
3. The Chats section is where affiliates can access the created chats.
4. The Stuffers section offers affiliates a method to manage sub-affiliates or team members during collaborative engagements.
5. The Leaks section is where affiliates can publish companies that they have successfully attacked but have not yet received the ransom payment from.

Technical details about Lynx ransomware

Lynx ransomware comes in both Windows and Linux variants. The Linux variant has not yet been observed in the wild.

One key difference in the latest Windows variant compared to those observed last year is a new “mode” option, allowing the attacker to select the percentage of a file to encrypt. This enables the attacker to determine the trade-off between speed and the amount of encrypted data. This variant will perform its encryption, change the desktop wallpaper to a ransom note, and even attempt to print it.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The Lynx ransomware group leverages advanced technical capabilities and an advanced program. It is a good example of how ransomware groups, especially RaaS operations, are increasingly operating like businesses and less like traditional cybercriminal syndicates.

It’s also worth pointing out that this group will enumerate local printers and try to send the ransom note to connected printers, which is uncommon.

Group-IB closes its report by mentioning that “only a proactive and adaptive defensive strategy will safeguard critical data and maintain business resilience.” This statement applies to many threats.

Cisco Talos releases Q4 incident response trends report

Cisco Talos released its quarterly trends report for Q4 2024, covering key observations from incident response engagements during this time.

Most notably, Cisco Talos observed a spike in both web shell usage and the exploitation of public-facing applications.

Web shell spike

Cisco Talos observed that threat actors are deploying web shells in 35% of their incident response engagement, specifically using open-source and publicly available web shells against vulnerable or unpatched web applications. This marks a significant increase from 10% in the third quarter of 2024.

Ransomware trends

Roughly 30% of Cisco Talos’ engagements for the fourth quarter centered around ransomware, pre-ransomware, and data theft extortion, down from 40% in the previous quarter. They also observed a mix of new ransomware actors like Interlock and previously observed ransomware like Black Basta and RansomHub.

In most ransomware incidents investigated by Cisco Talos, the attacker’s dwell time ranged from 17 to 44 days. Cisco Talos points out that longer dwell times “can indicate that an adversary is trying to expand their access, evade defenses, and/or identify data of interest for exfiltration.”

Cisco Talos also noted that ransomware actors utilized remote access tools in 100% of their ransomware incident engagements this quarter. This figure represents a significant increase from the previous quarter, during which remote access tools were observed in only 13% of these engagements.

Targeted sectors

For the second consecutive quarter, the education sector was the top target, followed by financial services, healthcare, and public administration.

Initial access

For the first time in more than a year, Cisco Talos determined that the top means of initial access was exploiting public-facing applications. They observed this in about 40% of engagements where they could determine initial engagements.

For the past few quarters, valid accounts have been the top means of initial access. Last quarter, this dropped to second. Since December, Cisco Talos has also seen a surge in password spraying attacks that lock users out of their accounts or deny VPN access.

[Read also: The new thinking on password security might surprise you]

Multi-factor authentication: A top security weakness

According to Cisco Talos, the absence of multi-factor authentication (MFA) ranked among the top security weaknesses in the fourth quarter. Nearly 40% of all engagements featured misconfigured, weak, or nonexistent MFA. Furthermore, 100% of the organizations affected by ransomware either lacked proper MFA implementation or had it bypassed through social engineering.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Surprisingly, ransomware incidents accounted for slightly fewer engagements than in the previous quarter. While this certainly doesn’t mean ransomware is disappearing anytime soon, it may indicate a shift in focus among threat actors.

Additionally, threat actors appear to be returning to trusted tactics, such as exploiting vulnerabilities. For the first time in over a year, Cisco Talos has identified the exploitation of publicly facing applications as the primary method of initial access.

In the report, Cisco Talos also provides recommendations for addressing their most significant observed security weaknesses, including implementing MFA and regular patching.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.