Tofsee variants can be install by exploits, such as Exploit:JS/Neclu, or by phishing attacks where they pose as a legitimate application. They can also be downloaded by other malware, such as TrojanDownloader:Win32/Tofsee.
Installation
The main Tofsee component is usually packed with Visual Basic packer. It unpacks itself in memory to run its malicious code.
It drops a copy of itself into various folders on your PC. We have seen it install to %USERPROFILE%\<random file name>, for example %USERPROFILE%\qzgnsdhi.exe.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSConfig"
With data: "%USERPROFILE%\<sample name>.exe", for example %USERPROFILE%\qzgnsdhi.exe
It drops and runs a batch file in %TEMP% to delete the original file and the batch file.
Tofsee creates the following registry entry to save its configuration information:
In subkey: HKCU\Software\Microsoft\DeviceControl
Sets value: "DevData"
With data: "<Binary format of encrypted configuration information>", for example, "localcfg.....flags_udp.0.born_date.1288388957.id.2076751039.loader_id.11"
It also creates a file to save the encrypted configuration data. We have seen it use the following files:
Payload
Sends spam emails
Tofsee creates a new svchost.exe process and injects and runs its main payload from there.
It connects to one of the following remote control systems to retrieve latest configuration information:
- 103.244.2.45
- 111.121.193.238
- 123.45.67.89
- 188.190.114.19
- 213.155.0.208
- 46.165.222.4
- 88.165.132.183
- rgtryhbgddtyh.biz
- wertdghbyrukl.ch
It uses this configuration data to send spam emails.
An example spam message is shown below:
Downloads malicious plugins
Tofsee variants can also install additional plugin files, depending on the contents of the configuration file. These can include:
- plg_sys - Sha1: 05e8e23575645a8af681125b202a90826d3b4c96
- plg_sniff - Sha1: 11516f319e84473179ee3cdfc488c9e807cf006a
- plg_antibot - Sha1: 1bbd298614c3ef5510bab6067cd7016e3b717259
- plg_webb - Sha1: 279844d36e20ab94142b51ed5dba5be6ed879562
- plg_webm - Sha1: 60a3d0988fce2ec9f663f77398e38c2271bbb8f2
- plg_ddos - Sha1: 46a39d4561908d38a85e173730954fd3aeaed400
- plg_locs - Sha1: 50ce6332121b0a49961e6360b61ada2d29b8a0c7
- plg_smpt - Sha1: 5da345e23b2e9d78af8ed897a07e2e9c4f77714c
- plg_spread - Sha1: 6ccd64b905e044aabc0bbea9a0c26859d9da154a
- plg_proxy - Sha1: 70c81ed3a0c1793ed6a22c77e984ecd35664d8ba
- plg_miner - Sha1: a1290ad41bf644a34b2fc6638298b41984936b5c
- plg_protect - Sha1: b4f47b9b6d8900be6912085f78cfebc0f005edb4
- plg_text - Sha1: e0cacdeb3a81fd5e98991220d021254b1c3e2616
- plg_spread2 - Sha1: e5ecbb89acbc62fcecf5c5d7481483f940b35cc3
The plugin payload can vary but can include DDoS attacks and Bitcoin mining. For example:
- module plg_antibot can stop running processes, delete files, and remove registry keys based on target information. The target information is received from the data provided to the module's export function, as a parameter, which is from the configuration data.
- module plg_proxy can setup a proxy server on your PC based on the data information provided from configuration data.
- module plg_ddos can conduct DDoS attacks based on the data information provided from configuration data.
- module plg_miner can conduct ditital coin mining, such as Bitcoin or Litecoin mining.
Analysis by Steven Zhou