A marked increase in the volume and velocity of spam email campaigns containing malicious attachments is spreading the Tofsee malware and botnet at unprecedented aggression levels.
According to Talos, Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
In the latest wave, the initial infection for this variant of Tofsee is accomplished by convincing users to open malicious attachments that are delivered via phishing emails. The phishing emails purport to be from women in Eastern Europe (namely Russia and Ukraine) and the theme of the emails is (what else?) adult dating. The messages purport to contain an attached zip archive with pictures of the sender as well as links to a Russian adult dating website.
“Threats are constantly evolving as attackers change the way in which they attempt to distribute malware and attack systems,” said Talos researcher Edmund Brumaghin, in a blog. “Threat actors also constantly strive to expand their presence by taking advantage of the ever increasing number of Internet users and devices.”
Earlier this year, Talos found that the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Now, appears that the botnet operator has ditched passive techniques.
“The RIG exploit kit moved from distributing Tofsee to other payloads, possibly because distributing them was more attractive to cybercriminals from a monetization standpoint or simply because different actors began using this exploit kit as a distribution mechanism for their malware,” said Brumaghin. “When RIG stopped distributing Tofsee payloads, those responsible for Tofsee switched to alternative distribution methods.”
The nature of the spam has changed as well, he added.
“While the Tofsee botnet has been known for sending spam messages, the messages have historically contained links to adult dating and pharmaceutical websites,” he said. “The Tofsee spam botnet has begun utilizing malicious attachments that function as malware downloaders. This activity has increased in velocity and volume.”
Photo © wk1003mike