Tofsee variants can be install by exploits, such as Exploit:JS/Neclu, or by phishing attacks where they pose as a legitimate application. They can also be downloaded by other malware, such as TrojanDownloader:Win32/Tofsee.
Installation
The main Tofsee component is usually packed with Visual Basic packer. It unpacks itself in memory to run its malicious code.
It drops a copy of itself into various folders on your PC. We have seen it install to %USERPROFILE%\<random file name>, for example %USERPROFILE%\qzgnsdhi.exe.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSConfig"
With data: "%USERPROFILE%\<sample name>.exe", for example %USERPROFILE%\qzgnsdhi.exe
It drops and runs a batch file in %TEMP% to delete the original file and the batch file.
Tofsee creates the following registry entry to save its configuration information:
In subkey: HKCU\Software\Microsoft\DeviceControl
Sets value: "DevData"
With data: "<Binary format of encrypted configuration information>", for example, "localcfg.....flags_udp.0.born_date.1288388957.id.2076751039.loader_id.11"
It also creates a file to save the encrypted configuration data. We have seen it use the following files:
Payload
Sends spam emails
Tofsee creates a new svchost.exe process and injects and runs its main payload from there.
It connects to one of the following remote control systems to retrieve latest configuration information:
-
103.244.2.45
-
111.121.193.238
-
123.45.67.89
-
188.190.114.19
-
213.155.0.208
-
46.165.222.4
-
88.165.132.183
-
rgtryhbgddtyh.biz
-
wertdghbyrukl.ch
It uses this configuration data to send spam emails.
An example spam message is shown below:
Downloads malicious plugins
Tofsee variants can also install additional plugin files, depending on the contents of the configuration file. These can include:
-
plg_sys - Sha1: 05e8e23575645a8af681125b202a90826d3b4c96
-
plg_sniff - Sha1: 11516f319e84473179ee3cdfc488c9e807cf006a
-
plg_antibot - Sha1: 1bbd298614c3ef5510bab6067cd7016e3b717259
-
plg_webb - Sha1: 279844d36e20ab94142b51ed5dba5be6ed879562
-
plg_webm - Sha1: 60a3d0988fce2ec9f663f77398e38c2271bbb8f2
-
plg_ddos - Sha1: 46a39d4561908d38a85e173730954fd3aeaed400
-
plg_locs - Sha1: 50ce6332121b0a49961e6360b61ada2d29b8a0c7
-
plg_smpt - Sha1: 5da345e23b2e9d78af8ed897a07e2e9c4f77714c
-
plg_spread - Sha1: 6ccd64b905e044aabc0bbea9a0c26859d9da154a
-
plg_proxy - Sha1: 70c81ed3a0c1793ed6a22c77e984ecd35664d8ba
-
plg_miner - Sha1: a1290ad41bf644a34b2fc6638298b41984936b5c
-
plg_protect - Sha1: b4f47b9b6d8900be6912085f78cfebc0f005edb4
-
plg_text - Sha1: e0cacdeb3a81fd5e98991220d021254b1c3e2616
-
plg_spread2 - Sha1: e5ecbb89acbc62fcecf5c5d7481483f940b35cc3
The plugin payload can vary but can include DDoS attacks and Bitcoin mining. For example:
-
module plg_antibot can stop running processes, delete files, and remove registry keys based on target information. The target information is received from the data provided to the module's export function, as a parameter, which is from the configuration data.
-
module plg_proxy can setup a proxy server on your PC based on the data information provided from configuration data.
-
module plg_ddos can conduct DDoS attacks based on the data information provided from configuration data.
-
module plg_miner can conduct ditital coin mining, such as Bitcoin or Litecoin mining.
Analysis by Steven Zhou