Security researchers from Cisco Talos identified that there is an increase of spam campaigns launched by a botnet serving the Tofsee malware.
Tofsee Aggressively Targets Victims via Awakened Botnet
The Tofsee malware is not a new threat, having been around since 2013. However there are a lot of spam campaigns with it launched by an aggressive botnet. The threat has a few modules that can execute different activities such as click fraud, cryptocurrency mining, and spam messages. Upon infection, the victim systems are recruited to the spam botnet and are used to send copies of Tofsee to other systems.
The criminal operators of Tofsee use to both incremental damage volume as the number of recruited victim hosts increase. Earlier this year Cisco Talos reported that the famous RIG exploit kit was used to deliver Tofsee to compromised systems by using malvertising methods.
At the beginning of the year, the spam campaign used advertising that was related mainly to adult dating sites and pharmaceuticals. In August the botnet has started to change its tactics by switching to another strategy. The Tofsee network has started to utilise malicious attachments that act as malware downloaders, a new type of attack that has vastly increased in volume.
The infections with the malware occur by social engineering the targets to open the malicious attachments sent through the spam emails. The phishing messages pose as emails from women from Eastern European countries such as Russia and Ukraine. Each email contains a different variant of the phishing message to appear more legitimate. The contents also contain links to a Russian adult dating site.
The malicious attachment is a zip file that is created according to the formula [SENDER NAME]-photos.zip, in it there is a obfuscated Javascript file. This is actually the downloader which retrieves a PE32 executable from the remote servers. This is the source of infection with the Tofsee malware.
The binary file is downloaded to the %USERPROFILE% location and also registered to start at boot time using the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The temporary initial binary is deleted by the malware to avoid detection by security solutions. When the infection has completed the code will connect to various SMTP relays and start to send phishing emails. The developers have also made the threat generate HTTP GET requests periodically to simulate ad clicking.
Because of this Tofsee continues to be seen as an active threat.