SummaryTofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.
Tofsee Spam CampaignsIn June 2016, following the disappearance of the Angler exploit kit from the threat landscape, other major exploit kits began to shift to different payloads. The RIG exploit kit moved from distributing Tofsee to other payloads, possibly because distributing them was more attractive to cybercriminals from a monetization standpoint or simply because different actors began using this exploit kit as a distribution mechanism for their malware.
Given the volume of spam messages that infected hosts attempt to distribute, new nodes are quickly added to DNS-based Blackhole Lists (DNSBL) and most of the major email service providers will not accept new message transmissions once this occurs. In order to keep spam levels consistent new nodes must be added constantly. When RIG stopped distributing Tofsee payloads, those responsible for Tofsee switched to alternative distribution methods.
While the Tofsee botnet has been known for sending spam messages, the messages have historically contained links to adult dating and pharmaceutical websites. Starting in August, Talos began to observe a change in the nature of the spam messages being sent by this botnet. The Tofsee spam botnet has begun utilizing malicious attachments that function as malware downloaders. This activity has increased in velocity and volume.
Figure 1: Number of Emails Containing Malware Downloaders
Initial Infection VectorThe initial infection for this variant of Tofsee appears to be accomplished by convincing users to open malicious attachments that are delivered via phishing emails. The phishing emails purport to be from women in Eastern Europe (namely Russia and Ukraine) and the theme of the emails is adult dating. Each email contains slightly different text, however the same format is used across all of the messages Talos analyzed. The messages purport to contain an attached zip archive with pictures of the sender as well as links to a Russian adult dating website. Here is an example of a Tofsee message body:
Figure 2: Sample Tofsee Spam Message
Infection DetailsThe malware drops a randomly named PE32 executable into the %USERPROFILE% directory.
Figure 4: Dropped Tofsee Binary
The dropped executable is registered to start whenever the infected user logs onto the system. This is performed by adding an entry to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Figure 5: Persistence Mechanism
Figure 6: Batch File Stored in Temp
Once infected, systems will begin connecting to various SMTP relays and sending spam email messages.
Figure 7: SMTP Connections
Figure 8: HTTP Connections
ConclusionThreats are constantly evolving as attackers change the way in which they attempt to distribute malware and attack systems. Threat actors also constantly strive to expand their presence by taking advantage of the ever increasing number of Internet users and devices. By leveraging our vast visibility into the threat landscape, Talos is able to effectively monitor these threats and quickly detect changes in the tactics, techniques, and procedures attackers are using so that we can continually protect our customer’s networks and data.
CoverageAdditional ways our customers can detect and block this threat are listed below.
AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.ESA can block malicious emails sent by threat actors as part of their campaign.
Indicators of Compromise