MSRT November 2014 – Tofsee


This month we added the Win32/Tofsee and Win32/Zoxpng malware families to the Malicious Software Removal Tool.

Zoxpng is a backdoor component that can execute remote commands from a malicious hacker. It is related to Win32/Hikiti and the other threats added to the MSRT last month. Let’s take a closer look at Tofsee, the email-spamming malware family.

Tofsee is a multi-component malware family made up of three components: a loader, its main spambot payload, and plugins. Its primary payload is a spambot that is used to send spam email messages with malicious attachments from an infected PC. 

Tofsee loader and telemetry

The loader component of the Tofsee malware family is usually distributed via spam, phishing and via social engineering, and exploit kits (such as Nuclear EK). Its purpose is to drop and execute the spambot binary. Similar to other malware, this payload binary tries to hides its malicious activity by spawning and injecting into the svchost process.

The spambot persists on system reboot by modifying one of the following autorun registries:

In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

Sets value: "MSConfig"
With data:  <PayloadBinary_Path>

or

Sets value: "SessionInit"
With data: <PayloadBinary_Path>

The graphs below show the machine and file prevalence trending for Tofsee during the past 12 months. Telemetry shows that more than 50 percent of October detections were for the injected malicious codes into the svchost process. The rest of the telemetry data comprises the dropper, payload, and plugins that are usually detected by our generic signatures. 

Machine telemetry 

Figure 1: Monthly machine telemetry for Tofsee

Tofsee telemetry 
Figure 2: Monthly file telemetry for Tofsee

Spambot component

Tofsee creates spamming emails with an attached html file. The html file is generated dynamically based on the template received from the remote command and control server.

Below is an example snapshot of the spam email.
 

spam email 

Figure 3: Snapshot of Tofsee spam email

The template is huge and it contains variables that can also be replaced by the data retrieved from the C&C server. For example, inside the configuration information there is a configuration variable named %LO_BODY_5FARM. It has predefined html template, similar to this:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=%CHARSET"><title>%RT_2</title></head><body bgcolor="#F%RND_HEXF%RND_HEXF%RND_HEX" text="#0%RND_DIGIT0%RND_DIGIT0%RND_DIGIT">%SYS_RN<div id="%RND_char[3-8]" style='font-size:22pt'><b>%{Dear}{Hello}{Hey}{Hi}{Good day}{Good Afternoon}{Good Evening}{Good time}{Greetings}%{ }{, } <u>%TO_NAME</u>%RND_DEXL Your health is our main concern%RND_DEXL</b></div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<div id='%RND_char[3-8]' style='color:#F%RND_HEX0%RND_HEX0%RND_HEX; font-size:18pt'>%{Look at}{Take a look at}{Note}{Check out} our new <b>AUTUMN</b> offers and save HUGE on the best %{meds}{drugs}{medications}%RND_DEXL</div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<div id='%RND_char[3-8]' style='font-size:18pt'><b>%{Today&#39;s Bestsellers}{Bestsellers}{Most Popular Products}{The Best Products}{Bestseller Products}{Best-Selling Products}{Top Bestsellers}{The Best Prices For}{Top-Sellers Today}{Best Prices On}{Unprecedented Prices On}:</b></div>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<table cellspacing='%RND_NUM[4-12]'>%SYS_RN<tr>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>MEN&#39;S SEXUAL HEALTH:</font></td>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>GENERAL HEALTH:</font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- <b>Viagra</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.99</b></font><br>%SYS_RN- <b>Cialis</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$1.59</b></font><br>%SYS_RN- <b>Viagra <font size='-1'>Super Active+</font></b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.55</b></font><br>%SYS_RN- <b>Levitra</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.50</b></font><br>%SYS_RN- <b>Viagra <font size='-1'>Professional</font> </b>as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$3.50</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more...</i></font></td>%SYS_RN<td>- <b>SleepWell</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$38.9</b></font><br>%SYS_RN- <b>Synthroid</b> low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.35</b></font><br>%SYS_RN- <b>Celebrex</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.59</b></font><br>%SYS_RN- <b>Prednisolone</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.15</b></font><br>%SYS_RN- <b>Acomplia </b>as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$2.50</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more...</i></font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>ANTI-ALLERGIC/ASTHMA:</font></td>%SYS_RN<td><font color='#0%RND_HEX0%RND_HEX8%RND_HEX'>ANTIBIOTICS:</font></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- <b>Ventolin</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$21.50</b></font><br>%SYS_RN- <b>Advair</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$24.95</b></font><br>%SYS_RN- <b>Spiriva</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$28.90</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more...</i></font></td>%SYS_RN<td>- <b>Amoxicillin</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.52</b></font><br>%SYS_RN- <b>Zithromax</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.75</b></font><br>%SYS_RN- <b>Cipro</b> as low as <font color='#F%RND_HEX0%RND_HEX0%RND_HEX'><b>$0.30</b></font><br>%SYS_RN<font color='#8%RND_HEX8%RND_HEX8%RND_HEX'><i>and more...</i></font></td>%SYS_RN</tr>%SYS_RN</table>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN<table %{}{border='0'} cellspacing='%RND_NUM[5-12]'>%SYS_RN<tr>%SYS_RN<td>%SYS_RN<h3 id='%RND_char[3-8]'><b>%{Click Bellow}{Follow the URL bellow}{Follow this Link}{Follow the Link} to Visit %{Canadian}{World-Best}{The Best}{The Cheapest}{Popular}{Well-known}{Inexpensive}{Reasonable}{Affordable}{Express} %{Drugstore}{Drugstore Center}{Drugstore Mall}{Pharmacy}{Drug Mall}{Drugs Discounter}{Medications Mall}{Medications Discounter}%RND_DEXL</b></h3>%SYS_RN</td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>%SYS_RN<h1 id='%RND_char[3-8]' align='center'><a href='%EVA_AUTOURL%{?}{&#63;}%RNDPARS'>%CLICKHERE</a></h1>%SYS_RN</td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td><b>%{Our Advantages}{Our Benefits}{Benefits of Our Store}{Advantages of Our Drugstore}{Our Features}{Features of Our Store}{Features of Our Drugstore}:</b></td>%SYS_RN</tr>%SYS_RN<tr>%SYS_RN<td>- We %{Take}{Accept} <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>Visa</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>MasterCard</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>%{AMEX}{American Express}</b></font>, <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>Discover</b></font> and <font color='#0%RND_HEX0%RND_HEX8%RND_HEX'><b>E-check</b></font>!<br>%SYS_RN- We Deliver to ALL destinations Worldwide!<br>%SYS_RN- Order 3+ goods and get free Airmail Shipping!<br>%SYS_RN- Free Tablets Included in Each Order!<br>%SYS_RN- Meds Expiration Date of Over %RND_NUM[2-4] Years!<br>%SYS_RN- No Imitations! 100% Authentic Meds!<br>%SYS_RN- Secure and Confidential Online Shopping!<br>%SYS_RN- Easy Refunds and 24/7 Customer Support!</td>%SYS_RN</tr>%SYS_RN</table>%SYS_RN<p><font size='1' color='#8%RND_HEX8%RND_HEX8%RND_HEX'>%RND_CHERTA<br>%SYS_RNOur %{Mall}{Shop}{Discounter}{Drugstore} is licensed pharmacy, international %{license #}{lic #}{license num:}{lic number:}%RND_DIGIT[6-12] issued %RND_NUM[1-28] %{Jan}{Feb}{Mar}{Apr}{Mar}{Jun}{Jul}{Aug}{Sep}{Oct}{Nov}{Dec} 200%RND_DIGIT[1]</font></p>%SYS_RN<div style='color:#F%RND_HEXF%RND_HEXF%RND_HEX; font-size:%RND_NUM[2-5]px'>%{%RT_1}{%RT_1. %RT_1}%{}{.}</div>%SYS_RN</body></html>

In this template there are many variables, such as %RND_DEXL, %RND_DIGITF, %RT_1, %SYS_RN and %EVA_AUTOURL. All of the variables have relative data defined inside the configuration information, such as variable %AOL_FURL which has the following data defined:

  • profiline.org.ua/fonts/<removed>.html
  • profkitchen.org/js/<removed>.html
  • project-zabota.ru/libraries/<removed>.html
  • prokopovich.com.ua/includes/<removed>.html
  • prosto.megatemka.ru/engine/<removed>.html
  • protect.co.ua/plugins/<removed>.html
  • psychic-pauldean.co.uk/phocaemail/<removed>.html
  • ptf.by/wp-content/<removed>.html
  • pudel.mneniya.ru/nursing/<removed>.html
  • pump-parts.ru/cli/<removed>.html
  • pustotina.ru/libraries/<removed>.html
  • putmashservis.com/includes/<removed>.html
  • pwsh-ptn.bip-ip.by/<removed>.html
  • pypy.ru/wp-content/<removed>.html
  • qpokna.biz/img/<removed>.html
  • qptova.ru/school/<removed>.html
  • qubada.esy.es/55/<removed>.html
  • quitehost.net/demo-images/<removed>.html
  • rabota-na-avtomate.ru/images/<removed>.html
  • radiotvonline.info/components/<removed>.html
  • rams62.ru/libraries/<removed>.html
  • raskrutka-gruppy-vkontakte.ru/<removed>.html
  • rastim.com.ua/includes/<removed>.html
  • ratibor-samara.ru/lightbox2.05/<removed>.html
  • rationalfeed.net/cache/<removed>.html
  • raznyemonety.ru/xmlrpc/<removed>.html
  • rda-06.com/fr/<removed>.html
  • rdt.com.ua/core/<removed>.html
  • rd-wc.com/Config/<removed>.html
  • realvillage.info/<removed>.html
  • reinm.hhos.ru/prunams/<removed>.html
  • reklama.inf.ua/banner_v3/<removed>.html
  • reklama.semey24.kz/wp-content/<removed>.html
  • reklama.webalania.ru/js/<removed>.html
  • reklamabm.ru/images/<removed>.html
  • remont-32.ru/upgrade/<removed>.html
  • remontbenzogeneratora.ru/wp-admin/<removed>.html
  • remontgeneratoraspb.ru/logs/<removed>.html
  • remontikvartir.ru/assets/<removed>.html
  • remontpostroika.ru/dizajn-spalni/<removed>.html
  • remstyle-samara.ru/img/<removed>.html
  • report.htc.ua/templates/<removed>.html
  • re-postspot.ru/images/<removed>.html
  • rerayte.ru/wp-includes/<removed>.html
  • reviewidget.com/Adam/<removed>.html
  • reviewidget.com/css/<removed>.html
  • rezinovaya-kraska-kupit.ru/laki/<removed>.html
  • rfpphoto.com/2011-desktop-billboard/<removed>.html
  • ridgidshop.ru/discounts_image/<removed>.html
  • rimecoproducts.com/download/<removed>.html
  • riraiting.ru/userfiles/<removed>.html
  • rna-cs.com/newsletter/<removed>.html
  • rnd-video.ru/style/<removed>.html
  • rnglounge.com/Scripts/<removed>.html
  • rodent-club.com/Sources/<removed>.html
  • rodente.info/logs/<removed>.html
  • roman.hdsale.us/images/<removed>.html
  • rost.dn.ua/wp-admin/<removed>.html
  • rostovexp.hol.es/includes/<removed>.html

When the html is created, one of these values will replace the variable inside the html.

DLL Plugins and other malware

In addition to sending spam messages, some Tofsee variants can extend their malicious functionalities by downloading and running additional plugin components.

These DLL plugins rely on the information downloaded as configuration data from the C&C server. The functions of these plugins can vary from DDoS attacks to Bitcoin mining.

The DLLs always contain one export function named plg_init that the malware invokes. We have identified the following malicious plugins:

  • plg_antibot – terminates processes
  • plg_ddos – DDOS attacks on websites
  • plg_locs – steals email credentials
  • plg_protect – protects itself from uninstallation
  • plg_proxy – acts as proxy server
  • plg_miner – a digital coin miner
  • plg_smtp – sends spam using outlook  
  • plg_sniff – sniffs traffic 
  • plg_spread1 – sends messages on Facebook, Twitter, and Skype
  • plg_spread2 – replicates via removable drives
  • plg_sys – collects system information
  • plg_text – used for logging malware activity
  • plg_webm – sends spam using web mail
  • plg_webb – steals cookies

These plugins are detected as Backdoor:Win32/Tofsee.A!dll. The malware author can use this framework to distribute new and undetected plugins. We have also seen Tofsee downloading other threats, such as PWS:Win32/Fareit.

The Microsoft Malware Protection Center will continue to track this family and update our detections to help remove this threat from infected PCs. 

We recommend running an up-to-date, real-time security product such as Microsoft Security Essentials to help protect your PC from malware and unwanted software.

There are more details about each the families added to the MSRT this month in the Win32/Tofsee and Win32/Zoxpng descriptions.

Rodel Finones & Steven Zhou 
MMPC
 


Comments (1)

  1. Peter says:

    Why is it that none of the domainnames mentioned in this article are classified as "Malicious" by the Microsoft Reputation Service?

Skip to main content