TrojanDropper:O97M/Tobfy

This threat is a malicious macro script created by malware perpetrators for Microsoft Office files. The macro can install and run Ransom:Win32/Tobfy ransomware on your PC.

It can be installed when you open a malicious attachment to a spam email. For example, we have seen this threat attached to spam emails claiming to have a business deal for you, but commonly see many lures such as invoices, purchase orders, traffic tickets, late payment notices, or package deliveries.

The emails will have a Word document (.doc file) attachment, and when opened, presents you with a social-engineering attack:

The document pretends to be locked and uses social engineering to convince the user to enable the macros on the document. If the user clicks Enable Content, the macros is enabled and then malicious macros in the document runs.

These malicious macros can infect the PC with Ransom:Win32/Tobfy, a disk-encrypting ransomware. It does this by dropping three files in your %appdata% folder, such as:

• %appdata%\couth.exe
• %appdata%\csrss_<hex digits>.exe
• %appdata%\wsrv_<hex digits>.exe

These Tobfy files have been seen downloading further files from command and control (C&C) servers, such as:

• hxxp://www.viplavka24.ru/system/logs.inst1.exe
• hxxp://www.viplavka24.ru/system/logs/ss2_2.bin
• hxxp://www.ip-fl.ru/system/logs/inst1.exe
• hxxp://www.ip-fl.ru/system/logs/ss2_2.bin